# Access
# AI Controls
# Mcp
# Portals
## List MCP Portals
`zero_trust.access.ai_controls.mcp.portals.list(PortalListParams**kwargs) -> SyncV4PagePaginationArray[PortalListResponse]`
**get** `/accounts/{account_id}/access/ai-controls/mcp/portals`
Lists all MCP portals configured for the account.
### Parameters
- `account_id: str`
- `page: Optional[int]`
- `per_page: Optional[int]`
- `search: Optional[str]`
Search by id, name, hostname
### Returns
- `class PortalListResponse: …`
- `id: str`
portal id
- `hostname: str`
- `name: str`
- `servers: List[Server]`
- `id: str`
server id
- `auth_type: Literal["oauth", "bearer", "unauthenticated"]`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: str`
- `name: str`
- `prompts: List[Dict[str, object]]`
- `tools: List[Dict[str, object]]`
- `updated_prompts: List[Dict[str, Union[float, str]]]`
- `float`
- `str`
- `updated_tools: List[Dict[str, Union[float, str]]]`
- `float`
- `str`
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `default_disabled: Optional[bool]`
- `description: Optional[str]`
- `error: Optional[str]`
- `last_successful_sync: Optional[datetime]`
- `last_synced: Optional[datetime]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `on_behalf: Optional[bool]`
- `status: Optional[str]`
- `allow_code_mode: Optional[bool]`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `secure_web_gateway: Optional[bool]`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.ai_controls.mcp.portals.list(
account_id="a86a8f5c339544d7bdc89926de14fb8c",
)
page = page.result[0]
print(page.id)
```
#### Response
```json
{
"result": [
{
"id": "my-mcp-portal",
"hostname": "exmaple.com",
"name": "My MCP Portal",
"servers": [
{
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"updated_prompts": [
{
"foo": 0
}
],
"updated_tools": [
{
"foo": 0
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"default_disabled": true,
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"on_behalf": true,
"status": "status"
}
],
"allow_code_mode": true,
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is my custom MCP Portal",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"secure_web_gateway": false
}
],
"success": true
}
```
## Create a new MCP Portal
`zero_trust.access.ai_controls.mcp.portals.create(PortalCreateParams**kwargs) -> PortalCreateResponse`
**post** `/accounts/{account_id}/access/ai-controls/mcp/portals`
Creates a new MCP portal for managing AI tool access through Cloudflare Access.
### Parameters
- `account_id: str`
- `id: str`
portal id
- `hostname: str`
- `name: str`
- `allow_code_mode: Optional[bool]`
Allow remote code execution in Dynamic Workers (beta)
- `description: Optional[str]`
- `secure_web_gateway: Optional[bool]`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
- `servers: Optional[Iterable[Server]]`
- `server_id: str`
server id
- `default_disabled: Optional[bool]`
- `on_behalf: Optional[bool]`
- `updated_prompts: Optional[Iterable[ServerUpdatedPrompt]]`
- `name: str`
- `alias: Optional[str]`
- `description: Optional[str]`
- `enabled: Optional[bool]`
- `updated_tools: Optional[Iterable[ServerUpdatedTool]]`
- `name: str`
- `alias: Optional[str]`
- `description: Optional[str]`
- `enabled: Optional[bool]`
### Returns
- `class PortalCreateResponse: …`
- `id: str`
portal id
- `hostname: str`
- `name: str`
- `allow_code_mode: Optional[bool]`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `secure_web_gateway: Optional[bool]`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
portal = client.zero_trust.access.ai_controls.mcp.portals.create(
account_id="a86a8f5c339544d7bdc89926de14fb8c",
id="my-mcp-portal",
hostname="exmaple.com",
name="My MCP Portal",
)
print(portal.id)
```
#### Response
```json
{
"result": {
"id": "my-mcp-portal",
"hostname": "exmaple.com",
"name": "My MCP Portal",
"allow_code_mode": true,
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is my custom MCP Portal",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"secure_web_gateway": false
},
"success": true
}
```
## Read details of an MCP Portal
`zero_trust.access.ai_controls.mcp.portals.read(strid, PortalReadParams**kwargs) -> PortalReadResponse`
**get** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}`
Read details of an MCP Portal
### Parameters
- `account_id: str`
- `id: str`
portal id
### Returns
- `class PortalReadResponse: …`
- `id: str`
portal id
- `hostname: str`
- `name: str`
- `servers: List[Server]`
- `id: str`
server id
- `auth_type: Literal["oauth", "bearer", "unauthenticated"]`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: str`
- `name: str`
- `prompts: List[Dict[str, object]]`
- `tools: List[Dict[str, object]]`
- `updated_prompts: List[Dict[str, Union[float, str]]]`
- `float`
- `str`
- `updated_tools: List[Dict[str, Union[float, str]]]`
- `float`
- `str`
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `default_disabled: Optional[bool]`
- `description: Optional[str]`
- `error: Optional[str]`
- `last_successful_sync: Optional[datetime]`
- `last_synced: Optional[datetime]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `on_behalf: Optional[bool]`
- `status: Optional[str]`
- `allow_code_mode: Optional[bool]`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `secure_web_gateway: Optional[bool]`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
response = client.zero_trust.access.ai_controls.mcp.portals.read(
id="my-mcp-portal",
account_id="a86a8f5c339544d7bdc89926de14fb8c",
)
print(response.id)
```
#### Response
```json
{
"result": {
"id": "my-mcp-portal",
"hostname": "exmaple.com",
"name": "My MCP Portal",
"servers": [
{
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"updated_prompts": [
{
"foo": 0
}
],
"updated_tools": [
{
"foo": 0
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"default_disabled": true,
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"on_behalf": true,
"status": "status"
}
],
"allow_code_mode": true,
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is my custom MCP Portal",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"secure_web_gateway": false
},
"success": true
}
```
## Update a MCP Portal
`zero_trust.access.ai_controls.mcp.portals.update(strid, PortalUpdateParams**kwargs) -> PortalUpdateResponse`
**put** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}`
Updates an MCP portal configuration.
### Parameters
- `account_id: str`
- `id: str`
portal id
- `allow_code_mode: Optional[bool]`
Allow remote code execution in Dynamic Workers (beta)
- `description: Optional[str]`
- `hostname: Optional[str]`
- `name: Optional[str]`
- `secure_web_gateway: Optional[bool]`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
- `servers: Optional[Iterable[Server]]`
- `server_id: str`
server id
- `default_disabled: Optional[bool]`
- `on_behalf: Optional[bool]`
- `updated_prompts: Optional[Iterable[ServerUpdatedPrompt]]`
- `name: str`
- `alias: Optional[str]`
- `description: Optional[str]`
- `enabled: Optional[bool]`
- `updated_tools: Optional[Iterable[ServerUpdatedTool]]`
- `name: str`
- `alias: Optional[str]`
- `description: Optional[str]`
- `enabled: Optional[bool]`
### Returns
- `class PortalUpdateResponse: …`
- `id: str`
portal id
- `hostname: str`
- `name: str`
- `allow_code_mode: Optional[bool]`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `secure_web_gateway: Optional[bool]`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
portal = client.zero_trust.access.ai_controls.mcp.portals.update(
id="my-mcp-portal",
account_id="a86a8f5c339544d7bdc89926de14fb8c",
)
print(portal.id)
```
#### Response
```json
{
"result": {
"id": "my-mcp-portal",
"hostname": "exmaple.com",
"name": "My MCP Portal",
"allow_code_mode": true,
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is my custom MCP Portal",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"secure_web_gateway": false
},
"success": true
}
```
## Delete a MCP Portal
`zero_trust.access.ai_controls.mcp.portals.delete(strid, PortalDeleteParams**kwargs) -> PortalDeleteResponse`
**delete** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}`
Deletes an MCP portal from the account.
### Parameters
- `account_id: str`
- `id: str`
portal id
### Returns
- `class PortalDeleteResponse: …`
- `id: str`
portal id
- `hostname: str`
- `name: str`
- `allow_code_mode: Optional[bool]`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `secure_web_gateway: Optional[bool]`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
portal = client.zero_trust.access.ai_controls.mcp.portals.delete(
id="my-mcp-portal",
account_id="a86a8f5c339544d7bdc89926de14fb8c",
)
print(portal.id)
```
#### Response
```json
{
"result": {
"id": "my-mcp-portal",
"hostname": "exmaple.com",
"name": "My MCP Portal",
"allow_code_mode": true,
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is my custom MCP Portal",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"secure_web_gateway": false
},
"success": true
}
```
## Domain Types
### Portal List Response
- `class PortalListResponse: …`
- `id: str`
portal id
- `hostname: str`
- `name: str`
- `servers: List[Server]`
- `id: str`
server id
- `auth_type: Literal["oauth", "bearer", "unauthenticated"]`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: str`
- `name: str`
- `prompts: List[Dict[str, object]]`
- `tools: List[Dict[str, object]]`
- `updated_prompts: List[Dict[str, Union[float, str]]]`
- `float`
- `str`
- `updated_tools: List[Dict[str, Union[float, str]]]`
- `float`
- `str`
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `default_disabled: Optional[bool]`
- `description: Optional[str]`
- `error: Optional[str]`
- `last_successful_sync: Optional[datetime]`
- `last_synced: Optional[datetime]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `on_behalf: Optional[bool]`
- `status: Optional[str]`
- `allow_code_mode: Optional[bool]`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `secure_web_gateway: Optional[bool]`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Portal Create Response
- `class PortalCreateResponse: …`
- `id: str`
portal id
- `hostname: str`
- `name: str`
- `allow_code_mode: Optional[bool]`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `secure_web_gateway: Optional[bool]`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Portal Read Response
- `class PortalReadResponse: …`
- `id: str`
portal id
- `hostname: str`
- `name: str`
- `servers: List[Server]`
- `id: str`
server id
- `auth_type: Literal["oauth", "bearer", "unauthenticated"]`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: str`
- `name: str`
- `prompts: List[Dict[str, object]]`
- `tools: List[Dict[str, object]]`
- `updated_prompts: List[Dict[str, Union[float, str]]]`
- `float`
- `str`
- `updated_tools: List[Dict[str, Union[float, str]]]`
- `float`
- `str`
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `default_disabled: Optional[bool]`
- `description: Optional[str]`
- `error: Optional[str]`
- `last_successful_sync: Optional[datetime]`
- `last_synced: Optional[datetime]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `on_behalf: Optional[bool]`
- `status: Optional[str]`
- `allow_code_mode: Optional[bool]`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `secure_web_gateway: Optional[bool]`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Portal Update Response
- `class PortalUpdateResponse: …`
- `id: str`
portal id
- `hostname: str`
- `name: str`
- `allow_code_mode: Optional[bool]`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `secure_web_gateway: Optional[bool]`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Portal Delete Response
- `class PortalDeleteResponse: …`
- `id: str`
portal id
- `hostname: str`
- `name: str`
- `allow_code_mode: Optional[bool]`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `secure_web_gateway: Optional[bool]`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
# Servers
## List MCP Servers
`zero_trust.access.ai_controls.mcp.servers.list(ServerListParams**kwargs) -> SyncV4PagePaginationArray[ServerListResponse]`
**get** `/accounts/{account_id}/access/ai-controls/mcp/servers`
Lists all MCP portals configured for the account.
### Parameters
- `account_id: str`
- `page: Optional[int]`
- `per_page: Optional[int]`
- `search: Optional[str]`
Search by id, name
### Returns
- `class ServerListResponse: …`
- `id: str`
server id
- `auth_type: Literal["oauth", "bearer", "unauthenticated"]`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: str`
- `name: str`
- `prompts: List[Dict[str, object]]`
- `tools: List[Dict[str, object]]`
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `error: Optional[str]`
- `last_successful_sync: Optional[datetime]`
- `last_synced: Optional[datetime]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `status: Optional[str]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.ai_controls.mcp.servers.list(
account_id="a86a8f5c339544d7bdc89926de14fb8c",
)
page = page.result[0]
print(page.id)
```
#### Response
```json
{
"result": [
{
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"status": "status"
}
],
"success": true
}
```
## Create a new MCP Server
`zero_trust.access.ai_controls.mcp.servers.create(ServerCreateParams**kwargs) -> ServerCreateResponse`
**post** `/accounts/{account_id}/access/ai-controls/mcp/servers`
Creates a new MCP portal for managing AI tool access through Cloudflare Access.
### Parameters
- `account_id: str`
- `id: str`
server id
- `auth_type: Literal["oauth", "bearer", "unauthenticated"]`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: str`
- `name: str`
- `auth_credentials: Optional[str]`
- `description: Optional[str]`
### Returns
- `class ServerCreateResponse: …`
- `id: str`
server id
- `auth_type: Literal["oauth", "bearer", "unauthenticated"]`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: str`
- `name: str`
- `prompts: List[Dict[str, object]]`
- `tools: List[Dict[str, object]]`
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `error: Optional[str]`
- `last_successful_sync: Optional[datetime]`
- `last_synced: Optional[datetime]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `status: Optional[str]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
server = client.zero_trust.access.ai_controls.mcp.servers.create(
account_id="a86a8f5c339544d7bdc89926de14fb8c",
id="my-mcp-server",
auth_type="unauthenticated",
hostname="https://example.com/mcp",
name="My MCP Server",
)
print(server.id)
```
#### Response
```json
{
"result": {
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"status": "status"
},
"success": true
}
```
## Read the details of a MCP Server
`zero_trust.access.ai_controls.mcp.servers.read(strid, ServerReadParams**kwargs) -> ServerReadResponse`
**get** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}`
Retrieves gateway configuration for MCP portals.
### Parameters
- `account_id: str`
- `id: str`
server id
### Returns
- `class ServerReadResponse: …`
- `id: str`
server id
- `auth_type: Literal["oauth", "bearer", "unauthenticated"]`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: str`
- `name: str`
- `prompts: List[Dict[str, object]]`
- `tools: List[Dict[str, object]]`
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `error: Optional[str]`
- `last_successful_sync: Optional[datetime]`
- `last_synced: Optional[datetime]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `status: Optional[str]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
response = client.zero_trust.access.ai_controls.mcp.servers.read(
id="my-mcp-server",
account_id="a86a8f5c339544d7bdc89926de14fb8c",
)
print(response.id)
```
#### Response
```json
{
"result": {
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"status": "status"
},
"success": true
}
```
## Update a MCP Server
`zero_trust.access.ai_controls.mcp.servers.update(strid, ServerUpdateParams**kwargs) -> ServerUpdateResponse`
**put** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}`
Updates an MCP portal configuration.
### Parameters
- `account_id: str`
- `id: str`
server id
- `auth_credentials: Optional[str]`
- `description: Optional[str]`
- `name: Optional[str]`
### Returns
- `class ServerUpdateResponse: …`
- `id: str`
server id
- `auth_type: Literal["oauth", "bearer", "unauthenticated"]`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: str`
- `name: str`
- `prompts: List[Dict[str, object]]`
- `tools: List[Dict[str, object]]`
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `error: Optional[str]`
- `last_successful_sync: Optional[datetime]`
- `last_synced: Optional[datetime]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `status: Optional[str]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
server = client.zero_trust.access.ai_controls.mcp.servers.update(
id="my-mcp-server",
account_id="a86a8f5c339544d7bdc89926de14fb8c",
)
print(server.id)
```
#### Response
```json
{
"result": {
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"status": "status"
},
"success": true
}
```
## Delete a MCP Server
`zero_trust.access.ai_controls.mcp.servers.delete(strid, ServerDeleteParams**kwargs) -> ServerDeleteResponse`
**delete** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}`
Deletes an MCP portal from the account.
### Parameters
- `account_id: str`
- `id: str`
server id
### Returns
- `class ServerDeleteResponse: …`
- `id: str`
server id
- `auth_type: Literal["oauth", "bearer", "unauthenticated"]`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: str`
- `name: str`
- `prompts: List[Dict[str, object]]`
- `tools: List[Dict[str, object]]`
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `error: Optional[str]`
- `last_successful_sync: Optional[datetime]`
- `last_synced: Optional[datetime]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `status: Optional[str]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
server = client.zero_trust.access.ai_controls.mcp.servers.delete(
id="my-mcp-server",
account_id="a86a8f5c339544d7bdc89926de14fb8c",
)
print(server.id)
```
#### Response
```json
{
"result": {
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"status": "status"
},
"success": true
}
```
## Sync MCP Server Capabilities
`zero_trust.access.ai_controls.mcp.servers.sync(strid, ServerSyncParams**kwargs) -> object`
**post** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}/sync`
Syncs an MCP server's tool catalog with the portal.
### Parameters
- `account_id: str`
- `id: str`
portal id
### Returns
- `object`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
response = client.zero_trust.access.ai_controls.mcp.servers.sync(
id="my-mcp-portal",
account_id="a86a8f5c339544d7bdc89926de14fb8c",
)
print(response)
```
#### Response
```json
{
"result": {},
"success": true
}
```
## Domain Types
### Server List Response
- `class ServerListResponse: …`
- `id: str`
server id
- `auth_type: Literal["oauth", "bearer", "unauthenticated"]`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: str`
- `name: str`
- `prompts: List[Dict[str, object]]`
- `tools: List[Dict[str, object]]`
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `error: Optional[str]`
- `last_successful_sync: Optional[datetime]`
- `last_synced: Optional[datetime]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `status: Optional[str]`
### Server Create Response
- `class ServerCreateResponse: …`
- `id: str`
server id
- `auth_type: Literal["oauth", "bearer", "unauthenticated"]`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: str`
- `name: str`
- `prompts: List[Dict[str, object]]`
- `tools: List[Dict[str, object]]`
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `error: Optional[str]`
- `last_successful_sync: Optional[datetime]`
- `last_synced: Optional[datetime]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `status: Optional[str]`
### Server Read Response
- `class ServerReadResponse: …`
- `id: str`
server id
- `auth_type: Literal["oauth", "bearer", "unauthenticated"]`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: str`
- `name: str`
- `prompts: List[Dict[str, object]]`
- `tools: List[Dict[str, object]]`
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `error: Optional[str]`
- `last_successful_sync: Optional[datetime]`
- `last_synced: Optional[datetime]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `status: Optional[str]`
### Server Update Response
- `class ServerUpdateResponse: …`
- `id: str`
server id
- `auth_type: Literal["oauth", "bearer", "unauthenticated"]`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: str`
- `name: str`
- `prompts: List[Dict[str, object]]`
- `tools: List[Dict[str, object]]`
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `error: Optional[str]`
- `last_successful_sync: Optional[datetime]`
- `last_synced: Optional[datetime]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `status: Optional[str]`
### Server Delete Response
- `class ServerDeleteResponse: …`
- `id: str`
server id
- `auth_type: Literal["oauth", "bearer", "unauthenticated"]`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: str`
- `name: str`
- `prompts: List[Dict[str, object]]`
- `tools: List[Dict[str, object]]`
- `created_at: Optional[datetime]`
- `created_by: Optional[str]`
- `description: Optional[str]`
- `error: Optional[str]`
- `last_successful_sync: Optional[datetime]`
- `last_synced: Optional[datetime]`
- `modified_at: Optional[datetime]`
- `modified_by: Optional[str]`
- `status: Optional[str]`
# Gateway CA
## List SSH Certificate Authorities (CA)
`zero_trust.access.gateway_ca.list(GatewayCAListParams**kwargs) -> SyncSinglePage[GatewayCAListResponse]`
**get** `/accounts/{account_id}/access/gateway_ca`
Lists SSH Certificate Authorities (CA).
### Parameters
- `account_id: str`
Identifier.
### Returns
- `class GatewayCAListResponse: …`
- `id: Optional[str]`
The key ID of this certificate.
- `public_key: Optional[str]`
The public key of this certificate.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.gateway_ca.list(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
page = page.result[0]
print(page.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "id",
"public_key": "public_key"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Add a new SSH Certificate Authority (CA)
`zero_trust.access.gateway_ca.create(GatewayCACreateParams**kwargs) -> GatewayCACreateResponse`
**post** `/accounts/{account_id}/access/gateway_ca`
Adds a new SSH Certificate Authority (CA).
### Parameters
- `account_id: str`
Identifier.
### Returns
- `class GatewayCACreateResponse: …`
- `id: Optional[str]`
The key ID of this certificate.
- `public_key: Optional[str]`
The public key of this certificate.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
gateway_ca = client.zero_trust.access.gateway_ca.create(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(gateway_ca.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"public_key": "public_key"
}
}
```
## Delete an SSH Certificate Authority (CA)
`zero_trust.access.gateway_ca.delete(strcertificate_id, GatewayCADeleteParams**kwargs) -> GatewayCADeleteResponse`
**delete** `/accounts/{account_id}/access/gateway_ca/{certificate_id}`
Deletes an SSH Certificate Authority.
### Parameters
- `account_id: str`
Identifier.
- `certificate_id: str`
UUID.
### Returns
- `class GatewayCADeleteResponse: …`
- `id: Optional[str]`
UUID.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
gateway_ca = client.zero_trust.access.gateway_ca.delete(
certificate_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(gateway_ca.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Gateway CA List Response
- `class GatewayCAListResponse: …`
- `id: Optional[str]`
The key ID of this certificate.
- `public_key: Optional[str]`
The public key of this certificate.
### Gateway CA Create Response
- `class GatewayCACreateResponse: …`
- `id: Optional[str]`
The key ID of this certificate.
- `public_key: Optional[str]`
The public key of this certificate.
### Gateway CA Delete Response
- `class GatewayCADeleteResponse: …`
- `id: Optional[str]`
UUID.
# Infrastructure
# Targets
## List all targets
`zero_trust.access.infrastructure.targets.list(TargetListParams**kwargs) -> SyncV4PagePaginationArray[TargetListResponse]`
**get** `/accounts/{account_id}/infrastructure/targets`
Lists and sorts an account’s targets. Filters are optional and are ANDed
together.
### Parameters
- `account_id: str`
Account identifier
- `created_after: Optional[Union[str, datetime, null]]`
Date and time at which the target was created after (inclusive)
- `created_before: Optional[Union[str, datetime, null]]`
Date and time at which the target was created before (inclusive)
- `direction: Optional[Literal["asc", "desc"]]`
The sorting direction.
- `"asc"`
- `"desc"`
- `hostname: Optional[str]`
Hostname of a target
- `hostname_contains: Optional[str]`
Partial match to the hostname of a target
- `ip_like: Optional[str]`
Filters for targets whose IP addresses look like the specified string.
Supports `*` as a wildcard character
- `ip_v4: Optional[str]`
IPv4 address of the target
- `ip_v6: Optional[str]`
IPv6 address of the target
- `ips: Optional[SequenceNotStr[str]]`
Filters for targets that have any of the following IP addresses. Specify
`ips` multiple times in query parameter to build list of candidates.
- `ipv4_end: Optional[str]`
Defines an IPv4 filter range's ending value (inclusive). Requires
`ipv4_start` to be specified as well.
- `ipv4_start: Optional[str]`
Defines an IPv4 filter range's starting value (inclusive). Requires
`ipv4_end` to be specified as well.
- `ipv6_end: Optional[str]`
Defines an IPv6 filter range's ending value (inclusive). Requires
`ipv6_start` to be specified as well.
- `ipv6_start: Optional[str]`
Defines an IPv6 filter range's starting value (inclusive). Requires
`ipv6_end` to be specified as well.
- `modified_after: Optional[Union[str, datetime, null]]`
Date and time at which the target was modified after (inclusive)
- `modified_before: Optional[Union[str, datetime, null]]`
Date and time at which the target was modified before (inclusive)
- `order: Optional[Literal["hostname", "created_at"]]`
The field to sort by.
- `"hostname"`
- `"created_at"`
- `page: Optional[int]`
Current page in the response
- `per_page: Optional[int]`
Max amount of entries returned per page
- `target_ids: Optional[SequenceNotStr[str]]`
Filters for targets that have any of the following UUIDs. Specify
`target_ids` multiple times in query parameter to build list of
candidates.
- `virtual_network_id: Optional[str]`
Private virtual network identifier of the target
### Returns
- `class TargetListResponse: …`
- `id: str`
Target identifier
- `created_at: datetime`
Date and time at which the target was created
- `hostname: str`
A non-unique field that refers to a target
- `ip: IP`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: Optional[IPIPV4]`
The target's IPv4 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: Optional[IPIPV6]`
The target's IPv6 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: datetime`
Date and time at which the target was modified
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.infrastructure.targets.list(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
page = page.result[0]
print(page.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
"created_at": "2019-08-24T14:15:22Z",
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
},
"modified_at": "2019-08-24T14:15:22Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get target
`zero_trust.access.infrastructure.targets.get(strtarget_id, TargetGetParams**kwargs) -> TargetGetResponse`
**get** `/accounts/{account_id}/infrastructure/targets/{target_id}`
Get target
### Parameters
- `account_id: str`
Account identifier
- `target_id: str`
Target identifier
### Returns
- `class TargetGetResponse: …`
- `id: str`
Target identifier
- `created_at: datetime`
Date and time at which the target was created
- `hostname: str`
A non-unique field that refers to a target
- `ip: IP`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: Optional[IPIPV4]`
The target's IPv4 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: Optional[IPIPV6]`
The target's IPv6 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: datetime`
Date and time at which the target was modified
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
target = client.zero_trust.access.infrastructure.targets.get(
target_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(target.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
"created_at": "2019-08-24T14:15:22Z",
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
},
"modified_at": "2019-08-24T14:15:22Z"
}
}
```
## Create new target
`zero_trust.access.infrastructure.targets.create(TargetCreateParams**kwargs) -> TargetCreateResponse`
**post** `/accounts/{account_id}/infrastructure/targets`
Create new target
### Parameters
- `account_id: str`
Account identifier
- `hostname: str`
A non-unique field that refers to a target. Case insensitive, maximum
length of 255 characters, supports the use of special characters dash
and period, does not support spaces, and must start and end with an
alphanumeric character.
- `ip: IP`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: Optional[IPIPV4]`
The target's IPv4 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: Optional[IPIPV6]`
The target's IPv6 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
### Returns
- `class TargetCreateResponse: …`
- `id: str`
Target identifier
- `created_at: datetime`
Date and time at which the target was created
- `hostname: str`
A non-unique field that refers to a target
- `ip: IP`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: Optional[IPIPV4]`
The target's IPv4 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: Optional[IPIPV6]`
The target's IPv6 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: datetime`
Date and time at which the target was modified
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
target = client.zero_trust.access.infrastructure.targets.create(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
hostname="infra-access-target",
ip={},
)
print(target.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
"created_at": "2019-08-24T14:15:22Z",
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
},
"modified_at": "2019-08-24T14:15:22Z"
}
}
```
## Update target
`zero_trust.access.infrastructure.targets.update(strtarget_id, TargetUpdateParams**kwargs) -> TargetUpdateResponse`
**put** `/accounts/{account_id}/infrastructure/targets/{target_id}`
Update target
### Parameters
- `account_id: str`
Account identifier
- `target_id: str`
Target identifier
- `hostname: str`
A non-unique field that refers to a target. Case insensitive, maximum
length of 255 characters, supports the use of special characters dash
and period, does not support spaces, and must start and end with an
alphanumeric character.
- `ip: IP`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: Optional[IPIPV4]`
The target's IPv4 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: Optional[IPIPV6]`
The target's IPv6 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
### Returns
- `class TargetUpdateResponse: …`
- `id: str`
Target identifier
- `created_at: datetime`
Date and time at which the target was created
- `hostname: str`
A non-unique field that refers to a target
- `ip: IP`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: Optional[IPIPV4]`
The target's IPv4 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: Optional[IPIPV6]`
The target's IPv6 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: datetime`
Date and time at which the target was modified
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
target = client.zero_trust.access.infrastructure.targets.update(
target_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
hostname="infra-access-target",
ip={},
)
print(target.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
"created_at": "2019-08-24T14:15:22Z",
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
},
"modified_at": "2019-08-24T14:15:22Z"
}
}
```
## Delete target
`zero_trust.access.infrastructure.targets.delete(strtarget_id, TargetDeleteParams**kwargs)`
**delete** `/accounts/{account_id}/infrastructure/targets/{target_id}`
Delete target
### Parameters
- `account_id: str`
Account identifier
- `target_id: str`
Target identifier
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
client.zero_trust.access.infrastructure.targets.delete(
target_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
```
## Create new targets
`zero_trust.access.infrastructure.targets.bulk_update(TargetBulkUpdateParams**kwargs) -> SyncSinglePage[TargetBulkUpdateResponse]`
**put** `/accounts/{account_id}/infrastructure/targets/batch`
Adds one or more targets.
### Parameters
- `account_id: str`
Account identifier
- `body: Iterable[Body]`
- `hostname: str`
A non-unique field that refers to a target. Case insensitive, maximum
length of 255 characters, supports the use of special characters dash
and period, does not support spaces, and must start and end with an
alphanumeric character.
- `ip: BodyIP`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: Optional[BodyIPIPV4]`
The target's IPv4 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: Optional[BodyIPIPV6]`
The target's IPv6 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
### Returns
- `class TargetBulkUpdateResponse: …`
- `id: str`
Target identifier
- `created_at: datetime`
Date and time at which the target was created
- `hostname: str`
A non-unique field that refers to a target
- `ip: IP`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: Optional[IPIPV4]`
The target's IPv4 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: Optional[IPIPV6]`
The target's IPv6 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: datetime`
Date and time at which the target was modified
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.infrastructure.targets.bulk_update(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
body=[{
"hostname": "infra-access-target",
"ip": {},
}],
)
page = page.result[0]
print(page.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
"created_at": "2019-08-24T14:15:22Z",
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
},
"modified_at": "2019-08-24T14:15:22Z"
}
]
}
```
## Delete targets (Deprecated)
`zero_trust.access.infrastructure.targets.bulk_delete(TargetBulkDeleteParams**kwargs)`
**delete** `/accounts/{account_id}/infrastructure/targets/batch`
Removes one or more targets.
### Parameters
- `account_id: str`
Account identifier
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
client.zero_trust.access.infrastructure.targets.bulk_delete(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
```
## Delete targets
`zero_trust.access.infrastructure.targets.bulk_delete_v2(TargetBulkDeleteV2Params**kwargs)`
**post** `/accounts/{account_id}/infrastructure/targets/batch_delete`
Removes one or more targets.
### Parameters
- `account_id: str`
Account identifier
- `target_ids: SequenceNotStr[str]`
List of target IDs to bulk delete
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
client.zero_trust.access.infrastructure.targets.bulk_delete_v2(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
target_ids=["182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"],
)
```
## Domain Types
### Target List Response
- `class TargetListResponse: …`
- `id: str`
Target identifier
- `created_at: datetime`
Date and time at which the target was created
- `hostname: str`
A non-unique field that refers to a target
- `ip: IP`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: Optional[IPIPV4]`
The target's IPv4 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: Optional[IPIPV6]`
The target's IPv6 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: datetime`
Date and time at which the target was modified
### Target Get Response
- `class TargetGetResponse: …`
- `id: str`
Target identifier
- `created_at: datetime`
Date and time at which the target was created
- `hostname: str`
A non-unique field that refers to a target
- `ip: IP`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: Optional[IPIPV4]`
The target's IPv4 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: Optional[IPIPV6]`
The target's IPv6 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: datetime`
Date and time at which the target was modified
### Target Create Response
- `class TargetCreateResponse: …`
- `id: str`
Target identifier
- `created_at: datetime`
Date and time at which the target was created
- `hostname: str`
A non-unique field that refers to a target
- `ip: IP`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: Optional[IPIPV4]`
The target's IPv4 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: Optional[IPIPV6]`
The target's IPv6 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: datetime`
Date and time at which the target was modified
### Target Update Response
- `class TargetUpdateResponse: …`
- `id: str`
Target identifier
- `created_at: datetime`
Date and time at which the target was created
- `hostname: str`
A non-unique field that refers to a target
- `ip: IP`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: Optional[IPIPV4]`
The target's IPv4 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: Optional[IPIPV6]`
The target's IPv6 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: datetime`
Date and time at which the target was modified
### Target Bulk Update Response
- `class TargetBulkUpdateResponse: …`
- `id: str`
Target identifier
- `created_at: datetime`
Date and time at which the target was created
- `hostname: str`
A non-unique field that refers to a target
- `ip: IP`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: Optional[IPIPV4]`
The target's IPv4 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: Optional[IPIPV6]`
The target's IPv6 address
- `ip_addr: Optional[str]`
IP address of the target
- `virtual_network_id: Optional[str]`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: datetime`
Date and time at which the target was modified
# Applications
## List Access applications
`zero_trust.access.applications.list(ApplicationListParams**kwargs) -> SyncV4PagePaginationArray[ApplicationListResponse]`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps`
Lists all Access applications in an account or zone.
### Parameters
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `aud: Optional[str]`
The aud of the app.
- `domain: Optional[str]`
The domain of the app.
- `exact: Optional[bool]`
True for only exact string matches against passed name/domain query parameters.
- `name: Optional[str]`
The name of the app.
- `page: Optional[int]`
Page number of results.
- `per_page: Optional[int]`
Number of results per page.
- `search: Optional[str]`
Search for apps by other listed query parameters.
- `target_attributes: Optional[str]`
Target Criteria attributes in key=value format.
### Returns
- `ApplicationListResponse`
- `class SelfHostedApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `allow_all_headers: Optional[bool]`
Allows all HTTP request headers.
- `allow_all_methods: Optional[bool]`
Allows all HTTP request methods.
- `allow_all_origins: Optional[bool]`
Allows all origins.
- `allow_credentials: Optional[bool]`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: Optional[List[AllowedHeaders]]`
Allowed HTTP request headers.
- `allowed_methods: Optional[List[AllowedMethods]]`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: Optional[List[AllowedOrigins]]`
Allowed origins.
- `max_age: Optional[float]`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[SelfHostedApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class SelfHostedApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class SelfHostedApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[SelfHostedApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[SelfHostedApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SelfHostedApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[SelfHostedApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: str`
Password used to authenticate with the remote SCIM service.
- `scheme: Literal["httpbasic"]`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: str`
User name used to authenticate with the remote SCIM service.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: str`
Token used to authenticate with the remote SCIM service.
- `scheme: Literal["oauthbearertoken"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: str`
URL used to generate the auth code used during token generation.
- `client_id: str`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: str`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: Literal["oauth2"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: str`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: Optional[List[str]]`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: Optional[bool]`
Whether or not this mapping applies to create (POST) operations.
- `delete: Optional[bool]`
Whether or not this mapping applies to DELETE operations.
- `update: Optional[bool]`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class SaaSApplication: …`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[SaaSApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SaaSApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SaaSApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SaaSApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `saas_app: Optional[SaaSApplicationSaaSApp]`
- `class SAMLSaaSApp: …`
- `auth_type: Optional[Literal["saml", "oidc"]]`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: Optional[str]`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: Optional[List[CustomAttribute]]`
- `friendly_name: Optional[str]`
The SAML FriendlyName of the attribute.
- `name: Optional[str]`
The name of the attribute.
- `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: Optional[bool]`
If the attribute is required when building a SAML assertion.
- `source: Optional[CustomAttributeSource]`
- `name: Optional[str]`
The name of the IdP attribute.
- `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]`
A mapping from IdP ID to attribute name.
- `idp_id: Optional[str]`
The UID of the IdP.
- `source_name: Optional[str]`
The name of the IdP provided attribute.
- `default_relay_state: Optional[str]`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: Optional[str]`
The unique identifier for your SaaS application.
- `name_id_format: Optional[SaaSAppNameIDFormat]`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: Optional[str]`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: Optional[str]`
A globally unique name for an identity or service provider.
- `sso_endpoint: Optional[str]`
The endpoint where your SaaS application will send login requests.
- `class OIDCSaaSApp: …`
- `access_token_lifetime: Optional[str]`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: Optional[bool]`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: Optional[str]`
The URL where this applications tile redirects users
- `auth_type: Optional[Literal["saml", "oidc"]]`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: Optional[str]`
The application client id
- `client_secret: Optional[str]`
The application client secret, only returned on POST request.
- `custom_claims: Optional[List[CustomClaim]]`
- `name: Optional[str]`
The name of the claim.
- `required: Optional[bool]`
If the claim is required when building an OIDC token.
- `scope: Optional[Literal["groups", "profile", "email", "openid"]]`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: Optional[CustomClaimSource]`
- `name: Optional[str]`
The name of the IdP claim.
- `name_by_idp: Optional[Dict[str, str]]`
A mapping from IdP ID to claim name.
- `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: Optional[str]`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]`
- `return_access_token_from_authorization_endpoint: Optional[bool]`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: Optional[bool]`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: Optional[List[str]]`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: Optional[RefreshTokenOptions]`
- `lifetime: Optional[str]`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: Optional[SaaSApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SaaSApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: Optional[ApplicationType]`
The application type.
- `class BrowserSSHApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserSSHApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserSSHApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserSSHApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserSSHApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserSSHApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserSSHApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserSSHApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserSSHApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserSSHApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class BrowserVNCApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserVNCApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserVNCApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserVNCApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserVNCApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserVNCApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserVNCApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserVNCApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserVNCApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserVNCApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class AppLauncherApplication: …`
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: Optional[str]`
The image URL of the logo shown in the App Launcher header.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: Optional[str]`
The background color of the App Launcher page.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: Optional[List[AppLauncherApplicationFooterLink]]`
The links in the App Launcher footer.
- `name: str`
The hypertext in the footer link.
- `url: str`
the hyperlink in the footer link.
- `header_bg_color: Optional[str]`
The background color of the App Launcher header.
- `landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: Optional[str]`
The background color of the log in button on the landing page.
- `button_text_color: Optional[str]`
The color of the text in the log in button on the landing page.
- `image_url: Optional[str]`
The URL of the image shown on the landing page.
- `message: Optional[str]`
The message shown on the landing page.
- `title: Optional[str]`
The title shown on the landing page.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[AppLauncherApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[AppLauncherApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: Optional[bool]`
Determines when to skip the App Launcher landing page.
- `class DeviceEnrollmentPermissionsApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class BrowserIsolationPermissionsApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class GatewayIdentityProxyEndpointApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class BookmarkApplication: …`
- `id: Optional[str]`
UUID.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `domain: Optional[str]`
The URL or domain of the bookmark.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[BookmarkApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BookmarkApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: Optional[ApplicationType]`
The application type.
- `class InfrastructureApplication: …`
- `target_criteria: List[InfrastructureApplicationTargetCriterion]`
- `port: int`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: Literal["SSH"]`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: Dict[str, List[str]]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `aud: Optional[str]`
Audience tag.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[InfrastructureApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]`
The rules that define how users may connect to the targets secured by your application.
- `ssh: Optional[InfrastructureApplicationPolicyConnectionRulesSSH]`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: List[str]`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: Optional[bool]`
Enables using Identity Provider email alias as SSH username.
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `name: Optional[str]`
The name of the Access policy.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `updated_at: Optional[datetime]`
- `class BrowserRDPApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: List[BrowserRDPApplicationTargetCriterion]`
- `port: int`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: Literal["RDP"]`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: Dict[str, List[str]]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserRDPApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserRDPApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserRDPApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserRDPApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserRDPApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserRDPApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserRDPApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserRDPApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserRDPApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class McpServerApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[McpServerApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class McpServerApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class McpServerApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class McpServerApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[McpServerApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: Optional[List[McpServerApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[McpServerApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[McpServerApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[McpServerApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[McpServerApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[McpServerApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `class McpServerPortalApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[McpServerPortalApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class McpServerPortalApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class McpServerPortalApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class McpServerPortalApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[McpServerPortalApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: Optional[List[McpServerPortalApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[McpServerPortalApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[McpServerPortalApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.applications.list(
account_id="account_id",
)
page = page.result[0]
print(page)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get an Access application
`zero_trust.access.applications.get(AppIDapp_id, ApplicationGetParams**kwargs) -> ApplicationGetResponse`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}`
Fetches information about an Access application.
### Parameters
- `app_id: AppID`
Identifier.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `ApplicationGetResponse`
- `class SelfHostedApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `allow_all_headers: Optional[bool]`
Allows all HTTP request headers.
- `allow_all_methods: Optional[bool]`
Allows all HTTP request methods.
- `allow_all_origins: Optional[bool]`
Allows all origins.
- `allow_credentials: Optional[bool]`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: Optional[List[AllowedHeaders]]`
Allowed HTTP request headers.
- `allowed_methods: Optional[List[AllowedMethods]]`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: Optional[List[AllowedOrigins]]`
Allowed origins.
- `max_age: Optional[float]`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[SelfHostedApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class SelfHostedApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class SelfHostedApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[SelfHostedApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[SelfHostedApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SelfHostedApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[SelfHostedApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: str`
Password used to authenticate with the remote SCIM service.
- `scheme: Literal["httpbasic"]`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: str`
User name used to authenticate with the remote SCIM service.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: str`
Token used to authenticate with the remote SCIM service.
- `scheme: Literal["oauthbearertoken"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: str`
URL used to generate the auth code used during token generation.
- `client_id: str`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: str`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: Literal["oauth2"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: str`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: Optional[List[str]]`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: Optional[bool]`
Whether or not this mapping applies to create (POST) operations.
- `delete: Optional[bool]`
Whether or not this mapping applies to DELETE operations.
- `update: Optional[bool]`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class SaaSApplication: …`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[SaaSApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SaaSApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SaaSApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SaaSApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `saas_app: Optional[SaaSApplicationSaaSApp]`
- `class SAMLSaaSApp: …`
- `auth_type: Optional[Literal["saml", "oidc"]]`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: Optional[str]`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: Optional[List[CustomAttribute]]`
- `friendly_name: Optional[str]`
The SAML FriendlyName of the attribute.
- `name: Optional[str]`
The name of the attribute.
- `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: Optional[bool]`
If the attribute is required when building a SAML assertion.
- `source: Optional[CustomAttributeSource]`
- `name: Optional[str]`
The name of the IdP attribute.
- `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]`
A mapping from IdP ID to attribute name.
- `idp_id: Optional[str]`
The UID of the IdP.
- `source_name: Optional[str]`
The name of the IdP provided attribute.
- `default_relay_state: Optional[str]`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: Optional[str]`
The unique identifier for your SaaS application.
- `name_id_format: Optional[SaaSAppNameIDFormat]`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: Optional[str]`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: Optional[str]`
A globally unique name for an identity or service provider.
- `sso_endpoint: Optional[str]`
The endpoint where your SaaS application will send login requests.
- `class OIDCSaaSApp: …`
- `access_token_lifetime: Optional[str]`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: Optional[bool]`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: Optional[str]`
The URL where this applications tile redirects users
- `auth_type: Optional[Literal["saml", "oidc"]]`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: Optional[str]`
The application client id
- `client_secret: Optional[str]`
The application client secret, only returned on POST request.
- `custom_claims: Optional[List[CustomClaim]]`
- `name: Optional[str]`
The name of the claim.
- `required: Optional[bool]`
If the claim is required when building an OIDC token.
- `scope: Optional[Literal["groups", "profile", "email", "openid"]]`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: Optional[CustomClaimSource]`
- `name: Optional[str]`
The name of the IdP claim.
- `name_by_idp: Optional[Dict[str, str]]`
A mapping from IdP ID to claim name.
- `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: Optional[str]`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]`
- `return_access_token_from_authorization_endpoint: Optional[bool]`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: Optional[bool]`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: Optional[List[str]]`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: Optional[RefreshTokenOptions]`
- `lifetime: Optional[str]`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: Optional[SaaSApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SaaSApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: Optional[ApplicationType]`
The application type.
- `class BrowserSSHApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserSSHApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserSSHApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserSSHApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserSSHApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserSSHApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserSSHApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserSSHApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserSSHApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserSSHApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class BrowserVNCApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserVNCApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserVNCApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserVNCApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserVNCApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserVNCApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserVNCApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserVNCApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserVNCApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserVNCApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class AppLauncherApplication: …`
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: Optional[str]`
The image URL of the logo shown in the App Launcher header.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: Optional[str]`
The background color of the App Launcher page.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: Optional[List[AppLauncherApplicationFooterLink]]`
The links in the App Launcher footer.
- `name: str`
The hypertext in the footer link.
- `url: str`
the hyperlink in the footer link.
- `header_bg_color: Optional[str]`
The background color of the App Launcher header.
- `landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: Optional[str]`
The background color of the log in button on the landing page.
- `button_text_color: Optional[str]`
The color of the text in the log in button on the landing page.
- `image_url: Optional[str]`
The URL of the image shown on the landing page.
- `message: Optional[str]`
The message shown on the landing page.
- `title: Optional[str]`
The title shown on the landing page.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[AppLauncherApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[AppLauncherApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: Optional[bool]`
Determines when to skip the App Launcher landing page.
- `class DeviceEnrollmentPermissionsApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class BrowserIsolationPermissionsApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class GatewayIdentityProxyEndpointApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class BookmarkApplication: …`
- `id: Optional[str]`
UUID.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `domain: Optional[str]`
The URL or domain of the bookmark.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[BookmarkApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BookmarkApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: Optional[ApplicationType]`
The application type.
- `class InfrastructureApplication: …`
- `target_criteria: List[InfrastructureApplicationTargetCriterion]`
- `port: int`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: Literal["SSH"]`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: Dict[str, List[str]]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `aud: Optional[str]`
Audience tag.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[InfrastructureApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]`
The rules that define how users may connect to the targets secured by your application.
- `ssh: Optional[InfrastructureApplicationPolicyConnectionRulesSSH]`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: List[str]`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: Optional[bool]`
Enables using Identity Provider email alias as SSH username.
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `name: Optional[str]`
The name of the Access policy.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `updated_at: Optional[datetime]`
- `class BrowserRDPApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: List[BrowserRDPApplicationTargetCriterion]`
- `port: int`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: Literal["RDP"]`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: Dict[str, List[str]]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserRDPApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserRDPApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserRDPApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserRDPApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserRDPApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserRDPApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserRDPApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserRDPApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserRDPApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class McpServerApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[McpServerApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class McpServerApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class McpServerApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class McpServerApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[McpServerApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: Optional[List[McpServerApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[McpServerApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[McpServerApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[McpServerApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[McpServerApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[McpServerApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `class McpServerPortalApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[McpServerPortalApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class McpServerPortalApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class McpServerPortalApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class McpServerPortalApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[McpServerPortalApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: Optional[List[McpServerPortalApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[McpServerPortalApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[McpServerPortalApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
application = client.zero_trust.access.applications.get(
app_id="023e105f4ecef8ad9ca31a8372d0c353",
account_id="account_id",
)
print(application)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}
```
## Add an Access application
`zero_trust.access.applications.create(ApplicationCreateParams**kwargs) -> ApplicationCreateResponse`
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps`
Adds a new application to Access.
### Parameters
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[SequenceNotStr[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeadersParam]`
- `allow_all_headers: Optional[bool]`
Allows all HTTP request headers.
- `allow_all_methods: Optional[bool]`
Allows all HTTP request methods.
- `allow_all_origins: Optional[bool]`
Allows all origins.
- `allow_credentials: Optional[bool]`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: Optional[List[AllowedHeaders]]`
Allowed HTTP request headers.
- `allowed_methods: Optional[List[AllowedMethods]]`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: Optional[List[AllowedOrigins]]`
Allowed origins.
- `max_age: Optional[float]`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[SequenceNotStr[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[Iterable[SelfHostedApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class SelfHostedApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class SelfHostedApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[SelfHostedApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[SequenceNotStr[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[SequenceNotStr[SelfHostedApplicationPolicy]]`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `class SelfHostedApplicationPolicyAccessAppPolicyLink: …`
A JSON that links a reusable policy to an application.
- `id: Optional[str]`
The UUID of the policy
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `str`
The UUID of the policy
- `class SelfHostedApplicationPolicyUnionMember2: …`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[Iterable[ApprovalGroupParam]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SelfHostedApplicationPolicyUnionMember2ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SelfHostedApplicationPolicyUnionMember2ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SelfHostedApplicationPolicyUnionMember2MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[SelfHostedApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: str`
Password used to authenticate with the remote SCIM service.
- `scheme: Literal["httpbasic"]`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: str`
User name used to authenticate with the remote SCIM service.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: str`
Token used to authenticate with the remote SCIM service.
- `scheme: Literal["oauthbearertoken"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: str`
URL used to generate the auth code used during token generation.
- `client_id: str`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: str`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: Literal["oauth2"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: str`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: Optional[List[str]]`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `Iterable[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[Iterable[SCIMConfigMappingParam]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: Optional[bool]`
Whether or not this mapping applies to create (POST) operations.
- `delete: Optional[bool]`
Whether or not this mapping applies to DELETE operations.
- `update: Optional[bool]`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[SequenceNotStr[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[SequenceNotStr[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
### Returns
- `ApplicationCreateResponse`
- `class SelfHostedApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `allow_all_headers: Optional[bool]`
Allows all HTTP request headers.
- `allow_all_methods: Optional[bool]`
Allows all HTTP request methods.
- `allow_all_origins: Optional[bool]`
Allows all origins.
- `allow_credentials: Optional[bool]`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: Optional[List[AllowedHeaders]]`
Allowed HTTP request headers.
- `allowed_methods: Optional[List[AllowedMethods]]`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: Optional[List[AllowedOrigins]]`
Allowed origins.
- `max_age: Optional[float]`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[SelfHostedApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class SelfHostedApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class SelfHostedApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[SelfHostedApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[SelfHostedApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SelfHostedApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[SelfHostedApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: str`
Password used to authenticate with the remote SCIM service.
- `scheme: Literal["httpbasic"]`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: str`
User name used to authenticate with the remote SCIM service.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: str`
Token used to authenticate with the remote SCIM service.
- `scheme: Literal["oauthbearertoken"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: str`
URL used to generate the auth code used during token generation.
- `client_id: str`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: str`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: Literal["oauth2"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: str`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: Optional[List[str]]`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: Optional[bool]`
Whether or not this mapping applies to create (POST) operations.
- `delete: Optional[bool]`
Whether or not this mapping applies to DELETE operations.
- `update: Optional[bool]`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class SaaSApplication: …`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[SaaSApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SaaSApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SaaSApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SaaSApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `saas_app: Optional[SaaSApplicationSaaSApp]`
- `class SAMLSaaSApp: …`
- `auth_type: Optional[Literal["saml", "oidc"]]`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: Optional[str]`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: Optional[List[CustomAttribute]]`
- `friendly_name: Optional[str]`
The SAML FriendlyName of the attribute.
- `name: Optional[str]`
The name of the attribute.
- `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: Optional[bool]`
If the attribute is required when building a SAML assertion.
- `source: Optional[CustomAttributeSource]`
- `name: Optional[str]`
The name of the IdP attribute.
- `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]`
A mapping from IdP ID to attribute name.
- `idp_id: Optional[str]`
The UID of the IdP.
- `source_name: Optional[str]`
The name of the IdP provided attribute.
- `default_relay_state: Optional[str]`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: Optional[str]`
The unique identifier for your SaaS application.
- `name_id_format: Optional[SaaSAppNameIDFormat]`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: Optional[str]`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: Optional[str]`
A globally unique name for an identity or service provider.
- `sso_endpoint: Optional[str]`
The endpoint where your SaaS application will send login requests.
- `class OIDCSaaSApp: …`
- `access_token_lifetime: Optional[str]`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: Optional[bool]`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: Optional[str]`
The URL where this applications tile redirects users
- `auth_type: Optional[Literal["saml", "oidc"]]`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: Optional[str]`
The application client id
- `client_secret: Optional[str]`
The application client secret, only returned on POST request.
- `custom_claims: Optional[List[CustomClaim]]`
- `name: Optional[str]`
The name of the claim.
- `required: Optional[bool]`
If the claim is required when building an OIDC token.
- `scope: Optional[Literal["groups", "profile", "email", "openid"]]`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: Optional[CustomClaimSource]`
- `name: Optional[str]`
The name of the IdP claim.
- `name_by_idp: Optional[Dict[str, str]]`
A mapping from IdP ID to claim name.
- `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: Optional[str]`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]`
- `return_access_token_from_authorization_endpoint: Optional[bool]`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: Optional[bool]`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: Optional[List[str]]`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: Optional[RefreshTokenOptions]`
- `lifetime: Optional[str]`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: Optional[SaaSApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SaaSApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: Optional[ApplicationType]`
The application type.
- `class BrowserSSHApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserSSHApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserSSHApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserSSHApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserSSHApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserSSHApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserSSHApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserSSHApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserSSHApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserSSHApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class BrowserVNCApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserVNCApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserVNCApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserVNCApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserVNCApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserVNCApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserVNCApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserVNCApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserVNCApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserVNCApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class AppLauncherApplication: …`
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: Optional[str]`
The image URL of the logo shown in the App Launcher header.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: Optional[str]`
The background color of the App Launcher page.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: Optional[List[AppLauncherApplicationFooterLink]]`
The links in the App Launcher footer.
- `name: str`
The hypertext in the footer link.
- `url: str`
the hyperlink in the footer link.
- `header_bg_color: Optional[str]`
The background color of the App Launcher header.
- `landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: Optional[str]`
The background color of the log in button on the landing page.
- `button_text_color: Optional[str]`
The color of the text in the log in button on the landing page.
- `image_url: Optional[str]`
The URL of the image shown on the landing page.
- `message: Optional[str]`
The message shown on the landing page.
- `title: Optional[str]`
The title shown on the landing page.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[AppLauncherApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[AppLauncherApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: Optional[bool]`
Determines when to skip the App Launcher landing page.
- `class DeviceEnrollmentPermissionsApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class BrowserIsolationPermissionsApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class GatewayIdentityProxyEndpointApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class BookmarkApplication: …`
- `id: Optional[str]`
UUID.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `domain: Optional[str]`
The URL or domain of the bookmark.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[BookmarkApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BookmarkApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: Optional[ApplicationType]`
The application type.
- `class InfrastructureApplication: …`
- `target_criteria: List[InfrastructureApplicationTargetCriterion]`
- `port: int`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: Literal["SSH"]`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: Dict[str, List[str]]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `aud: Optional[str]`
Audience tag.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[InfrastructureApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]`
The rules that define how users may connect to the targets secured by your application.
- `ssh: Optional[InfrastructureApplicationPolicyConnectionRulesSSH]`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: List[str]`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: Optional[bool]`
Enables using Identity Provider email alias as SSH username.
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `name: Optional[str]`
The name of the Access policy.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `updated_at: Optional[datetime]`
- `class BrowserRDPApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: List[BrowserRDPApplicationTargetCriterion]`
- `port: int`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: Literal["RDP"]`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: Dict[str, List[str]]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserRDPApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserRDPApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserRDPApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserRDPApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserRDPApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserRDPApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserRDPApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserRDPApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserRDPApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class McpServerApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[McpServerApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class McpServerApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class McpServerApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class McpServerApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[McpServerApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: Optional[List[McpServerApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[McpServerApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[McpServerApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[McpServerApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[McpServerApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[McpServerApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `class McpServerPortalApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[McpServerPortalApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class McpServerPortalApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class McpServerPortalApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class McpServerPortalApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[McpServerPortalApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: Optional[List[McpServerPortalApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[McpServerPortalApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[McpServerPortalApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
application = client.zero_trust.access.applications.create(
domain="test.example.com/admin",
type="self_hosted",
account_id="account_id",
)
print(application)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}
```
## Update an Access application
`zero_trust.access.applications.update(AppIDapp_id, ApplicationUpdateParams**kwargs) -> ApplicationUpdateResponse`
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}`
Updates an Access application.
### Parameters
- `app_id: AppID`
Identifier.
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[SequenceNotStr[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeadersParam]`
- `allow_all_headers: Optional[bool]`
Allows all HTTP request headers.
- `allow_all_methods: Optional[bool]`
Allows all HTTP request methods.
- `allow_all_origins: Optional[bool]`
Allows all origins.
- `allow_credentials: Optional[bool]`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: Optional[List[AllowedHeaders]]`
Allowed HTTP request headers.
- `allowed_methods: Optional[List[AllowedMethods]]`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: Optional[List[AllowedOrigins]]`
Allowed origins.
- `max_age: Optional[float]`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[SequenceNotStr[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[Iterable[SelfHostedApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class SelfHostedApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class SelfHostedApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[SelfHostedApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[SequenceNotStr[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[SequenceNotStr[SelfHostedApplicationPolicy]]`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `class SelfHostedApplicationPolicyAccessAppPolicyLink: …`
A JSON that links a reusable policy to an application.
- `id: Optional[str]`
The UUID of the policy
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `str`
The UUID of the policy
- `class SelfHostedApplicationPolicyUnionMember2: …`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[Iterable[ApprovalGroupParam]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SelfHostedApplicationPolicyUnionMember2ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SelfHostedApplicationPolicyUnionMember2ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SelfHostedApplicationPolicyUnionMember2MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[SelfHostedApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: str`
Password used to authenticate with the remote SCIM service.
- `scheme: Literal["httpbasic"]`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: str`
User name used to authenticate with the remote SCIM service.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: str`
Token used to authenticate with the remote SCIM service.
- `scheme: Literal["oauthbearertoken"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: str`
URL used to generate the auth code used during token generation.
- `client_id: str`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: str`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: Literal["oauth2"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: str`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: Optional[List[str]]`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `Iterable[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[Iterable[SCIMConfigMappingParam]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: Optional[bool]`
Whether or not this mapping applies to create (POST) operations.
- `delete: Optional[bool]`
Whether or not this mapping applies to DELETE operations.
- `update: Optional[bool]`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[SequenceNotStr[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[SequenceNotStr[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
### Returns
- `ApplicationUpdateResponse`
- `class SelfHostedApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `allow_all_headers: Optional[bool]`
Allows all HTTP request headers.
- `allow_all_methods: Optional[bool]`
Allows all HTTP request methods.
- `allow_all_origins: Optional[bool]`
Allows all origins.
- `allow_credentials: Optional[bool]`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: Optional[List[AllowedHeaders]]`
Allowed HTTP request headers.
- `allowed_methods: Optional[List[AllowedMethods]]`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: Optional[List[AllowedOrigins]]`
Allowed origins.
- `max_age: Optional[float]`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[SelfHostedApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class SelfHostedApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class SelfHostedApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[SelfHostedApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[SelfHostedApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SelfHostedApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[SelfHostedApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: str`
Password used to authenticate with the remote SCIM service.
- `scheme: Literal["httpbasic"]`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: str`
User name used to authenticate with the remote SCIM service.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: str`
Token used to authenticate with the remote SCIM service.
- `scheme: Literal["oauthbearertoken"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: str`
URL used to generate the auth code used during token generation.
- `client_id: str`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: str`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: Literal["oauth2"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: str`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: Optional[List[str]]`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: Optional[bool]`
Whether or not this mapping applies to create (POST) operations.
- `delete: Optional[bool]`
Whether or not this mapping applies to DELETE operations.
- `update: Optional[bool]`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class SaaSApplication: …`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[SaaSApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SaaSApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SaaSApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SaaSApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `saas_app: Optional[SaaSApplicationSaaSApp]`
- `class SAMLSaaSApp: …`
- `auth_type: Optional[Literal["saml", "oidc"]]`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: Optional[str]`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: Optional[List[CustomAttribute]]`
- `friendly_name: Optional[str]`
The SAML FriendlyName of the attribute.
- `name: Optional[str]`
The name of the attribute.
- `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: Optional[bool]`
If the attribute is required when building a SAML assertion.
- `source: Optional[CustomAttributeSource]`
- `name: Optional[str]`
The name of the IdP attribute.
- `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]`
A mapping from IdP ID to attribute name.
- `idp_id: Optional[str]`
The UID of the IdP.
- `source_name: Optional[str]`
The name of the IdP provided attribute.
- `default_relay_state: Optional[str]`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: Optional[str]`
The unique identifier for your SaaS application.
- `name_id_format: Optional[SaaSAppNameIDFormat]`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: Optional[str]`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: Optional[str]`
A globally unique name for an identity or service provider.
- `sso_endpoint: Optional[str]`
The endpoint where your SaaS application will send login requests.
- `class OIDCSaaSApp: …`
- `access_token_lifetime: Optional[str]`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: Optional[bool]`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: Optional[str]`
The URL where this applications tile redirects users
- `auth_type: Optional[Literal["saml", "oidc"]]`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: Optional[str]`
The application client id
- `client_secret: Optional[str]`
The application client secret, only returned on POST request.
- `custom_claims: Optional[List[CustomClaim]]`
- `name: Optional[str]`
The name of the claim.
- `required: Optional[bool]`
If the claim is required when building an OIDC token.
- `scope: Optional[Literal["groups", "profile", "email", "openid"]]`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: Optional[CustomClaimSource]`
- `name: Optional[str]`
The name of the IdP claim.
- `name_by_idp: Optional[Dict[str, str]]`
A mapping from IdP ID to claim name.
- `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: Optional[str]`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]`
- `return_access_token_from_authorization_endpoint: Optional[bool]`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: Optional[bool]`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: Optional[List[str]]`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: Optional[RefreshTokenOptions]`
- `lifetime: Optional[str]`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: Optional[SaaSApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SaaSApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: Optional[ApplicationType]`
The application type.
- `class BrowserSSHApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserSSHApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserSSHApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserSSHApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserSSHApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserSSHApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserSSHApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserSSHApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserSSHApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserSSHApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class BrowserVNCApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserVNCApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserVNCApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserVNCApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserVNCApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserVNCApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserVNCApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserVNCApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserVNCApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserVNCApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class AppLauncherApplication: …`
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: Optional[str]`
The image URL of the logo shown in the App Launcher header.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: Optional[str]`
The background color of the App Launcher page.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: Optional[List[AppLauncherApplicationFooterLink]]`
The links in the App Launcher footer.
- `name: str`
The hypertext in the footer link.
- `url: str`
the hyperlink in the footer link.
- `header_bg_color: Optional[str]`
The background color of the App Launcher header.
- `landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: Optional[str]`
The background color of the log in button on the landing page.
- `button_text_color: Optional[str]`
The color of the text in the log in button on the landing page.
- `image_url: Optional[str]`
The URL of the image shown on the landing page.
- `message: Optional[str]`
The message shown on the landing page.
- `title: Optional[str]`
The title shown on the landing page.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[AppLauncherApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[AppLauncherApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: Optional[bool]`
Determines when to skip the App Launcher landing page.
- `class DeviceEnrollmentPermissionsApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class BrowserIsolationPermissionsApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class GatewayIdentityProxyEndpointApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class BookmarkApplication: …`
- `id: Optional[str]`
UUID.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `domain: Optional[str]`
The URL or domain of the bookmark.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[BookmarkApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BookmarkApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: Optional[ApplicationType]`
The application type.
- `class InfrastructureApplication: …`
- `target_criteria: List[InfrastructureApplicationTargetCriterion]`
- `port: int`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: Literal["SSH"]`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: Dict[str, List[str]]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `aud: Optional[str]`
Audience tag.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[InfrastructureApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]`
The rules that define how users may connect to the targets secured by your application.
- `ssh: Optional[InfrastructureApplicationPolicyConnectionRulesSSH]`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: List[str]`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: Optional[bool]`
Enables using Identity Provider email alias as SSH username.
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `name: Optional[str]`
The name of the Access policy.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `updated_at: Optional[datetime]`
- `class BrowserRDPApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: List[BrowserRDPApplicationTargetCriterion]`
- `port: int`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: Literal["RDP"]`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: Dict[str, List[str]]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserRDPApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserRDPApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserRDPApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserRDPApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserRDPApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserRDPApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserRDPApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserRDPApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserRDPApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class McpServerApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[McpServerApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class McpServerApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class McpServerApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class McpServerApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[McpServerApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: Optional[List[McpServerApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[McpServerApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[McpServerApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[McpServerApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[McpServerApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[McpServerApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `class McpServerPortalApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[McpServerPortalApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class McpServerPortalApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class McpServerPortalApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class McpServerPortalApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[McpServerPortalApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: Optional[List[McpServerPortalApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[McpServerPortalApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[McpServerPortalApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
application = client.zero_trust.access.applications.update(
app_id="023e105f4ecef8ad9ca31a8372d0c353",
domain="test.example.com/admin",
type="self_hosted",
account_id="account_id",
)
print(application)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}
```
## Delete an Access application
`zero_trust.access.applications.delete(AppIDapp_id, ApplicationDeleteParams**kwargs) -> ApplicationDeleteResponse`
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}`
Deletes an application from Access.
### Parameters
- `app_id: AppID`
Identifier.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `class ApplicationDeleteResponse: …`
- `id: Optional[str]`
UUID.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
application = client.zero_trust.access.applications.delete(
app_id="023e105f4ecef8ad9ca31a8372d0c353",
account_id="account_id",
)
print(application.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Revoke application tokens
`zero_trust.access.applications.revoke_tokens(AppIDapp_id, ApplicationRevokeTokensParams**kwargs) -> object`
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/revoke_tokens`
Revokes all tokens issued for an application.
### Parameters
- `app_id: AppID`
Identifier.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `object`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
response = client.zero_trust.access.applications.revoke_tokens(
app_id="023e105f4ecef8ad9ca31a8372d0c353",
account_id="account_id",
)
print(response)
```
#### Response
```json
{
"result": {},
"success": true
}
```
## Domain Types
### Allowed Headers
- `str`
### Allowed IdPs
- `str`
The identity providers selected for application.
### Allowed Methods
- `Literal["GET", "POST", "HEAD", 6 more]`
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
### Allowed Origins
- `str`
### App ID
- `str`
Identifier.
### Application
- `Application`
- `class SelfHostedApplication: …`
- `domain: str`
The domain and path that Access will secure.
- `type: str`
The application type.
- `id: Optional[str]`
UUID.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[SelfHostedApplicationCORSHeaders]`
- `allow_all_headers: Optional[bool]`
Allows all HTTP request headers.
- `allow_all_methods: Optional[bool]`
Allows all HTTP request methods.
- `allow_all_origins: Optional[bool]`
Allows all origins.
- `allow_credentials: Optional[bool]`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: Optional[List[object]]`
Allowed HTTP request headers.
- `allowed_methods: Optional[List[AllowedMethods]]`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: Optional[List[object]]`
Allowed origins.
- `max_age: Optional[float]`
The maximum number of seconds the results of a preflight request can be cached.
- `created_at: Optional[datetime]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application.
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[ApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[Authentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: str`
Password used to authenticate with the remote SCIM service.
- `scheme: Literal["httpbasic"]`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: str`
User name used to authenticate with the remote SCIM service.
- `class AuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: str`
Token used to authenticate with the remote SCIM service.
- `scheme: Literal["oauthbearertoken"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: str`
URL used to generate the auth code used during token generation.
- `client_id: str`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: str`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: Literal["oauth2"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: str`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: Optional[List[str]]`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `class AuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[AuthenticationAccessSchemasSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class AuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: str`
Token used to authenticate with the remote SCIM service.
- `scheme: Literal["oauthbearertoken"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class AuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set `active` to false on the SCIM resource. This is useful because some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: Optional[bool]`
Whether or not this mapping applies to create (POST) operations.
- `delete: Optional[bool]`
Whether or not this mapping applies to DELETE operations.
- `update: Optional[bool]`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `updated_at: Optional[datetime]`
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class SaaSApplication: …`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `created_at: Optional[datetime]`
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `saas_app: Optional[SaaSApplicationSaaSApp]`
- `class SaaSApplicationSaaSAppAccessSchemasSAMLSaaSApp: …`
- `auth_type: Optional[Literal["saml", "oidc"]]`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: Optional[str]`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `created_at: Optional[datetime]`
- `custom_attributes: Optional[List[SaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttribute]]`
- `friendly_name: Optional[str]`
The SAML FriendlyName of the attribute.
- `name: Optional[str]`
The name of the attribute.
- `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: Optional[bool]`
If the attribute is required when building a SAML assertion.
- `source: Optional[SaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributeSource]`
- `name: Optional[str]`
The name of the IdP attribute.
- `name_by_idp: Optional[Dict[str, str]]`
A mapping from IdP ID to attribute name.
- `idp_entity_id: Optional[str]`
The unique identifier for your SaaS application.
- `name_id_format: Optional[SaaSAppNameIDFormat]`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `sp_entity_id: Optional[str]`
A globally unique name for an identity or service provider.
- `sso_endpoint: Optional[str]`
The endpoint where your SaaS application will send login requests.
- `updated_at: Optional[datetime]`
- `class SaaSApplicationSaaSAppAccessSchemasOIDCSaaSApp: …`
- `access_token_lifetime: Optional[str]`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: Optional[bool]`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: Optional[str]`
The URL where this applications tile redirects users
- `auth_type: Optional[Literal["saml", "oidc"]]`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: Optional[str]`
The application client id
- `client_secret: Optional[str]`
The application client secret, only returned on POST request.
- `created_at: Optional[datetime]`
- `custom_claims: Optional[List[SaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaim]]`
- `name: Optional[str]`
The name of the claim.
- `required: Optional[bool]`
If the claim is required when building an OIDC token.
- `scope: Optional[Literal["groups", "profile", "email", "openid"]]`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: Optional[SaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimSource]`
- `name: Optional[str]`
The name of the IdP claim.
- `name_by_idp: Optional[List[SaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimSourceNameByIdP]]`
A mapping from IdP ID to attribute name.
- `idp_id: Optional[str]`
The UID of the IdP.
- `source_name: Optional[str]`
The name of the IdP provided attribute.
- `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: Optional[str]`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint.
- `hybrid_and_implicit_options: Optional[SaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppHybridAndImplicitOptions]`
- `return_access_token_from_authorization_endpoint: Optional[bool]`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: Optional[bool]`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: Optional[List[str]]`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: Optional[SaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppRefreshTokenOptions]`
- `lifetime: Optional[str]`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `updated_at: Optional[datetime]`
- `scim_config: Optional[ApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `type: Optional[str]`
The application type.
- `updated_at: Optional[datetime]`
- `class BrowserSSHApplication: …`
- `domain: str`
The domain and path that Access will secure.
- `type: str`
The application type.
- `id: Optional[str]`
UUID.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[BrowserSSHApplicationCORSHeaders]`
- `allow_all_headers: Optional[bool]`
Allows all HTTP request headers.
- `allow_all_methods: Optional[bool]`
Allows all HTTP request methods.
- `allow_all_origins: Optional[bool]`
Allows all origins.
- `allow_credentials: Optional[bool]`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: Optional[List[object]]`
Allowed HTTP request headers.
- `allowed_methods: Optional[List[AllowedMethods]]`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: Optional[List[object]]`
Allowed origins.
- `max_age: Optional[float]`
The maximum number of seconds the results of a preflight request can be cached.
- `created_at: Optional[datetime]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application.
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[ApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `updated_at: Optional[datetime]`
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class BrowserVNCApplication: …`
- `domain: str`
The domain and path that Access will secure.
- `type: str`
The application type.
- `id: Optional[str]`
UUID.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[BrowserVNCApplicationCORSHeaders]`
- `allow_all_headers: Optional[bool]`
Allows all HTTP request headers.
- `allow_all_methods: Optional[bool]`
Allows all HTTP request methods.
- `allow_all_origins: Optional[bool]`
Allows all origins.
- `allow_credentials: Optional[bool]`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: Optional[List[object]]`
Allowed HTTP request headers.
- `allowed_methods: Optional[List[AllowedMethods]]`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: Optional[List[object]]`
Allowed origins.
- `max_age: Optional[float]`
The maximum number of seconds the results of a preflight request can be cached.
- `created_at: Optional[datetime]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application.
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[ApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `updated_at: Optional[datetime]`
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class AppLauncherApplication: …`
- `type: Literal["self_hosted", "saas", "ssh", 6 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `created_at: Optional[datetime]`
- `domain: Optional[str]`
The domain and path that Access will secure.
- `name: Optional[str]`
The name of the application.
- `scim_config: Optional[ApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `class DeviceEnrollmentPermissionsApplication: …`
- `type: Literal["self_hosted", "saas", "ssh", 6 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `created_at: Optional[datetime]`
- `domain: Optional[str]`
The domain and path that Access will secure.
- `name: Optional[str]`
The name of the application.
- `scim_config: Optional[ApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `class BrowserIsolationPermissionsApplication: …`
- `type: Literal["self_hosted", "saas", "ssh", 6 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `created_at: Optional[datetime]`
- `domain: Optional[str]`
The domain and path that Access will secure.
- `name: Optional[str]`
The name of the application.
- `scim_config: Optional[ApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `class BookmarkApplication: …`
- `domain: str`
The URL or domain of the bookmark.
- `type: str`
The application type.
- `id: Optional[str]`
UUID.
- `app_launcher_visible: Optional[object]`
- `aud: Optional[str]`
Audience tag.
- `created_at: Optional[datetime]`
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `scim_config: Optional[ApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `updated_at: Optional[datetime]`
### Application Policy
- `class ApplicationPolicy: …`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Application SCIM Config
- `class ApplicationSCIMConfig: …`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[Authentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: str`
Password used to authenticate with the remote SCIM service.
- `scheme: Literal["httpbasic"]`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: str`
User name used to authenticate with the remote SCIM service.
- `class AuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: str`
Token used to authenticate with the remote SCIM service.
- `scheme: Literal["oauthbearertoken"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: str`
URL used to generate the auth code used during token generation.
- `client_id: str`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: str`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: Literal["oauth2"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: str`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: Optional[List[str]]`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `class AuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[AuthenticationAccessSchemasSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class AuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: str`
Token used to authenticate with the remote SCIM service.
- `scheme: Literal["oauthbearertoken"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class AuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set `active` to false on the SCIM resource. This is useful because some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: Optional[bool]`
Whether or not this mapping applies to create (POST) operations.
- `delete: Optional[bool]`
Whether or not this mapping applies to DELETE operations.
- `update: Optional[bool]`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
### Application Type
- `Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
### CORS Headers
- `class CORSHeaders: …`
- `allow_all_headers: Optional[bool]`
Allows all HTTP request headers.
- `allow_all_methods: Optional[bool]`
Allows all HTTP request methods.
- `allow_all_origins: Optional[bool]`
Allows all origins.
- `allow_credentials: Optional[bool]`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: Optional[List[AllowedHeaders]]`
Allowed HTTP request headers.
- `allowed_methods: Optional[List[AllowedMethods]]`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: Optional[List[AllowedOrigins]]`
Allowed origins.
- `max_age: Optional[float]`
The maximum number of seconds the results of a preflight request can be cached.
### Decision
- `Literal["allow", "deny", "non_identity", "bypass"]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
### OIDC SaaS App
- `class OIDCSaaSApp: …`
- `access_token_lifetime: Optional[str]`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: Optional[bool]`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: Optional[str]`
The URL where this applications tile redirects users
- `auth_type: Optional[Literal["saml", "oidc"]]`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: Optional[str]`
The application client id
- `client_secret: Optional[str]`
The application client secret, only returned on POST request.
- `custom_claims: Optional[List[CustomClaim]]`
- `name: Optional[str]`
The name of the claim.
- `required: Optional[bool]`
If the claim is required when building an OIDC token.
- `scope: Optional[Literal["groups", "profile", "email", "openid"]]`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: Optional[CustomClaimSource]`
- `name: Optional[str]`
The name of the IdP claim.
- `name_by_idp: Optional[Dict[str, str]]`
A mapping from IdP ID to claim name.
- `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: Optional[str]`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]`
- `return_access_token_from_authorization_endpoint: Optional[bool]`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: Optional[bool]`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: Optional[List[str]]`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: Optional[RefreshTokenOptions]`
- `lifetime: Optional[str]`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
### SaaS App Name ID Format
- `Literal["id", "email"]`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
### SAML SaaS App
- `class SAMLSaaSApp: …`
- `auth_type: Optional[Literal["saml", "oidc"]]`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: Optional[str]`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: Optional[List[CustomAttribute]]`
- `friendly_name: Optional[str]`
The SAML FriendlyName of the attribute.
- `name: Optional[str]`
The name of the attribute.
- `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: Optional[bool]`
If the attribute is required when building a SAML assertion.
- `source: Optional[CustomAttributeSource]`
- `name: Optional[str]`
The name of the IdP attribute.
- `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]`
A mapping from IdP ID to attribute name.
- `idp_id: Optional[str]`
The UID of the IdP.
- `source_name: Optional[str]`
The name of the IdP provided attribute.
- `default_relay_state: Optional[str]`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: Optional[str]`
The unique identifier for your SaaS application.
- `name_id_format: Optional[SaaSAppNameIDFormat]`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: Optional[str]`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: Optional[str]`
A globally unique name for an identity or service provider.
- `sso_endpoint: Optional[str]`
The endpoint where your SaaS application will send login requests.
### SCIM Config Authentication HTTP Basic
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: str`
Password used to authenticate with the remote SCIM service.
- `scheme: Literal["httpbasic"]`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: str`
User name used to authenticate with the remote SCIM service.
### SCIM Config Authentication OAuth Bearer Token
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: str`
Token used to authenticate with the remote SCIM service.
- `scheme: Literal["oauthbearertoken"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
### SCIM Config Authentication Oauth2
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: str`
URL used to generate the auth code used during token generation.
- `client_id: str`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: str`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: Literal["oauth2"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: str`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: Optional[List[str]]`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
### SCIM Config Mapping
- `class SCIMConfigMapping: …`
Transformations and filters applied to resources before they are provisioned in the remote SCIM service.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: Optional[bool]`
Whether or not this mapping applies to create (POST) operations.
- `delete: Optional[bool]`
Whether or not this mapping applies to DELETE operations.
- `update: Optional[bool]`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
### Self Hosted Domains
- `str`
A domain that Access will secure.
### Application List Response
- `ApplicationListResponse`
- `class SelfHostedApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `allow_all_headers: Optional[bool]`
Allows all HTTP request headers.
- `allow_all_methods: Optional[bool]`
Allows all HTTP request methods.
- `allow_all_origins: Optional[bool]`
Allows all origins.
- `allow_credentials: Optional[bool]`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: Optional[List[AllowedHeaders]]`
Allowed HTTP request headers.
- `allowed_methods: Optional[List[AllowedMethods]]`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: Optional[List[AllowedOrigins]]`
Allowed origins.
- `max_age: Optional[float]`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[SelfHostedApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class SelfHostedApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class SelfHostedApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[SelfHostedApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[SelfHostedApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SelfHostedApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[SelfHostedApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: str`
Password used to authenticate with the remote SCIM service.
- `scheme: Literal["httpbasic"]`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: str`
User name used to authenticate with the remote SCIM service.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: str`
Token used to authenticate with the remote SCIM service.
- `scheme: Literal["oauthbearertoken"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: str`
URL used to generate the auth code used during token generation.
- `client_id: str`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: str`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: Literal["oauth2"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: str`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: Optional[List[str]]`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: Optional[bool]`
Whether or not this mapping applies to create (POST) operations.
- `delete: Optional[bool]`
Whether or not this mapping applies to DELETE operations.
- `update: Optional[bool]`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class SaaSApplication: …`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[SaaSApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SaaSApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SaaSApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SaaSApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `saas_app: Optional[SaaSApplicationSaaSApp]`
- `class SAMLSaaSApp: …`
- `auth_type: Optional[Literal["saml", "oidc"]]`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: Optional[str]`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: Optional[List[CustomAttribute]]`
- `friendly_name: Optional[str]`
The SAML FriendlyName of the attribute.
- `name: Optional[str]`
The name of the attribute.
- `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: Optional[bool]`
If the attribute is required when building a SAML assertion.
- `source: Optional[CustomAttributeSource]`
- `name: Optional[str]`
The name of the IdP attribute.
- `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]`
A mapping from IdP ID to attribute name.
- `idp_id: Optional[str]`
The UID of the IdP.
- `source_name: Optional[str]`
The name of the IdP provided attribute.
- `default_relay_state: Optional[str]`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: Optional[str]`
The unique identifier for your SaaS application.
- `name_id_format: Optional[SaaSAppNameIDFormat]`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: Optional[str]`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: Optional[str]`
A globally unique name for an identity or service provider.
- `sso_endpoint: Optional[str]`
The endpoint where your SaaS application will send login requests.
- `class OIDCSaaSApp: …`
- `access_token_lifetime: Optional[str]`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: Optional[bool]`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: Optional[str]`
The URL where this applications tile redirects users
- `auth_type: Optional[Literal["saml", "oidc"]]`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: Optional[str]`
The application client id
- `client_secret: Optional[str]`
The application client secret, only returned on POST request.
- `custom_claims: Optional[List[CustomClaim]]`
- `name: Optional[str]`
The name of the claim.
- `required: Optional[bool]`
If the claim is required when building an OIDC token.
- `scope: Optional[Literal["groups", "profile", "email", "openid"]]`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: Optional[CustomClaimSource]`
- `name: Optional[str]`
The name of the IdP claim.
- `name_by_idp: Optional[Dict[str, str]]`
A mapping from IdP ID to claim name.
- `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: Optional[str]`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]`
- `return_access_token_from_authorization_endpoint: Optional[bool]`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: Optional[bool]`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: Optional[List[str]]`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: Optional[RefreshTokenOptions]`
- `lifetime: Optional[str]`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: Optional[SaaSApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SaaSApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: Optional[ApplicationType]`
The application type.
- `class BrowserSSHApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserSSHApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserSSHApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserSSHApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserSSHApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserSSHApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserSSHApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserSSHApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserSSHApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserSSHApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class BrowserVNCApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserVNCApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserVNCApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserVNCApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserVNCApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserVNCApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserVNCApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserVNCApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserVNCApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserVNCApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class AppLauncherApplication: …`
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: Optional[str]`
The image URL of the logo shown in the App Launcher header.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: Optional[str]`
The background color of the App Launcher page.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: Optional[List[AppLauncherApplicationFooterLink]]`
The links in the App Launcher footer.
- `name: str`
The hypertext in the footer link.
- `url: str`
the hyperlink in the footer link.
- `header_bg_color: Optional[str]`
The background color of the App Launcher header.
- `landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: Optional[str]`
The background color of the log in button on the landing page.
- `button_text_color: Optional[str]`
The color of the text in the log in button on the landing page.
- `image_url: Optional[str]`
The URL of the image shown on the landing page.
- `message: Optional[str]`
The message shown on the landing page.
- `title: Optional[str]`
The title shown on the landing page.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[AppLauncherApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[AppLauncherApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: Optional[bool]`
Determines when to skip the App Launcher landing page.
- `class DeviceEnrollmentPermissionsApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class BrowserIsolationPermissionsApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class GatewayIdentityProxyEndpointApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class BookmarkApplication: …`
- `id: Optional[str]`
UUID.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `domain: Optional[str]`
The URL or domain of the bookmark.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[BookmarkApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BookmarkApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: Optional[ApplicationType]`
The application type.
- `class InfrastructureApplication: …`
- `target_criteria: List[InfrastructureApplicationTargetCriterion]`
- `port: int`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: Literal["SSH"]`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: Dict[str, List[str]]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `aud: Optional[str]`
Audience tag.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[InfrastructureApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]`
The rules that define how users may connect to the targets secured by your application.
- `ssh: Optional[InfrastructureApplicationPolicyConnectionRulesSSH]`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: List[str]`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: Optional[bool]`
Enables using Identity Provider email alias as SSH username.
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `name: Optional[str]`
The name of the Access policy.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `updated_at: Optional[datetime]`
- `class BrowserRDPApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: List[BrowserRDPApplicationTargetCriterion]`
- `port: int`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: Literal["RDP"]`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: Dict[str, List[str]]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserRDPApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserRDPApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserRDPApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserRDPApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserRDPApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserRDPApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserRDPApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserRDPApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserRDPApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class McpServerApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[McpServerApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class McpServerApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class McpServerApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class McpServerApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[McpServerApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: Optional[List[McpServerApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[McpServerApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[McpServerApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[McpServerApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[McpServerApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[McpServerApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `class McpServerPortalApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[McpServerPortalApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class McpServerPortalApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class McpServerPortalApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class McpServerPortalApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[McpServerPortalApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: Optional[List[McpServerPortalApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[McpServerPortalApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[McpServerPortalApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Application Get Response
- `ApplicationGetResponse`
- `class SelfHostedApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `allow_all_headers: Optional[bool]`
Allows all HTTP request headers.
- `allow_all_methods: Optional[bool]`
Allows all HTTP request methods.
- `allow_all_origins: Optional[bool]`
Allows all origins.
- `allow_credentials: Optional[bool]`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: Optional[List[AllowedHeaders]]`
Allowed HTTP request headers.
- `allowed_methods: Optional[List[AllowedMethods]]`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: Optional[List[AllowedOrigins]]`
Allowed origins.
- `max_age: Optional[float]`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[SelfHostedApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class SelfHostedApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class SelfHostedApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[SelfHostedApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[SelfHostedApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SelfHostedApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[SelfHostedApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: str`
Password used to authenticate with the remote SCIM service.
- `scheme: Literal["httpbasic"]`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: str`
User name used to authenticate with the remote SCIM service.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: str`
Token used to authenticate with the remote SCIM service.
- `scheme: Literal["oauthbearertoken"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: str`
URL used to generate the auth code used during token generation.
- `client_id: str`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: str`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: Literal["oauth2"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: str`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: Optional[List[str]]`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: Optional[bool]`
Whether or not this mapping applies to create (POST) operations.
- `delete: Optional[bool]`
Whether or not this mapping applies to DELETE operations.
- `update: Optional[bool]`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class SaaSApplication: …`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[SaaSApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SaaSApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SaaSApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SaaSApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `saas_app: Optional[SaaSApplicationSaaSApp]`
- `class SAMLSaaSApp: …`
- `auth_type: Optional[Literal["saml", "oidc"]]`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: Optional[str]`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: Optional[List[CustomAttribute]]`
- `friendly_name: Optional[str]`
The SAML FriendlyName of the attribute.
- `name: Optional[str]`
The name of the attribute.
- `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: Optional[bool]`
If the attribute is required when building a SAML assertion.
- `source: Optional[CustomAttributeSource]`
- `name: Optional[str]`
The name of the IdP attribute.
- `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]`
A mapping from IdP ID to attribute name.
- `idp_id: Optional[str]`
The UID of the IdP.
- `source_name: Optional[str]`
The name of the IdP provided attribute.
- `default_relay_state: Optional[str]`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: Optional[str]`
The unique identifier for your SaaS application.
- `name_id_format: Optional[SaaSAppNameIDFormat]`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: Optional[str]`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: Optional[str]`
A globally unique name for an identity or service provider.
- `sso_endpoint: Optional[str]`
The endpoint where your SaaS application will send login requests.
- `class OIDCSaaSApp: …`
- `access_token_lifetime: Optional[str]`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: Optional[bool]`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: Optional[str]`
The URL where this applications tile redirects users
- `auth_type: Optional[Literal["saml", "oidc"]]`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: Optional[str]`
The application client id
- `client_secret: Optional[str]`
The application client secret, only returned on POST request.
- `custom_claims: Optional[List[CustomClaim]]`
- `name: Optional[str]`
The name of the claim.
- `required: Optional[bool]`
If the claim is required when building an OIDC token.
- `scope: Optional[Literal["groups", "profile", "email", "openid"]]`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: Optional[CustomClaimSource]`
- `name: Optional[str]`
The name of the IdP claim.
- `name_by_idp: Optional[Dict[str, str]]`
A mapping from IdP ID to claim name.
- `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: Optional[str]`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]`
- `return_access_token_from_authorization_endpoint: Optional[bool]`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: Optional[bool]`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: Optional[List[str]]`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: Optional[RefreshTokenOptions]`
- `lifetime: Optional[str]`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: Optional[SaaSApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SaaSApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: Optional[ApplicationType]`
The application type.
- `class BrowserSSHApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserSSHApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserSSHApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserSSHApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserSSHApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserSSHApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserSSHApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserSSHApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserSSHApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserSSHApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class BrowserVNCApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserVNCApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserVNCApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserVNCApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserVNCApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserVNCApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserVNCApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserVNCApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserVNCApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserVNCApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class AppLauncherApplication: …`
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: Optional[str]`
The image URL of the logo shown in the App Launcher header.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: Optional[str]`
The background color of the App Launcher page.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: Optional[List[AppLauncherApplicationFooterLink]]`
The links in the App Launcher footer.
- `name: str`
The hypertext in the footer link.
- `url: str`
the hyperlink in the footer link.
- `header_bg_color: Optional[str]`
The background color of the App Launcher header.
- `landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: Optional[str]`
The background color of the log in button on the landing page.
- `button_text_color: Optional[str]`
The color of the text in the log in button on the landing page.
- `image_url: Optional[str]`
The URL of the image shown on the landing page.
- `message: Optional[str]`
The message shown on the landing page.
- `title: Optional[str]`
The title shown on the landing page.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[AppLauncherApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[AppLauncherApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: Optional[bool]`
Determines when to skip the App Launcher landing page.
- `class DeviceEnrollmentPermissionsApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class BrowserIsolationPermissionsApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class GatewayIdentityProxyEndpointApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class BookmarkApplication: …`
- `id: Optional[str]`
UUID.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `domain: Optional[str]`
The URL or domain of the bookmark.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[BookmarkApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BookmarkApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: Optional[ApplicationType]`
The application type.
- `class InfrastructureApplication: …`
- `target_criteria: List[InfrastructureApplicationTargetCriterion]`
- `port: int`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: Literal["SSH"]`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: Dict[str, List[str]]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `aud: Optional[str]`
Audience tag.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[InfrastructureApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]`
The rules that define how users may connect to the targets secured by your application.
- `ssh: Optional[InfrastructureApplicationPolicyConnectionRulesSSH]`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: List[str]`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: Optional[bool]`
Enables using Identity Provider email alias as SSH username.
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `name: Optional[str]`
The name of the Access policy.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `updated_at: Optional[datetime]`
- `class BrowserRDPApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: List[BrowserRDPApplicationTargetCriterion]`
- `port: int`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: Literal["RDP"]`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: Dict[str, List[str]]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserRDPApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserRDPApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserRDPApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserRDPApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserRDPApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserRDPApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserRDPApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserRDPApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserRDPApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class McpServerApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[McpServerApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class McpServerApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class McpServerApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class McpServerApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[McpServerApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: Optional[List[McpServerApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[McpServerApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[McpServerApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[McpServerApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[McpServerApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[McpServerApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `class McpServerPortalApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[McpServerPortalApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class McpServerPortalApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class McpServerPortalApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class McpServerPortalApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[McpServerPortalApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: Optional[List[McpServerPortalApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[McpServerPortalApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[McpServerPortalApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Application Create Response
- `ApplicationCreateResponse`
- `class SelfHostedApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `allow_all_headers: Optional[bool]`
Allows all HTTP request headers.
- `allow_all_methods: Optional[bool]`
Allows all HTTP request methods.
- `allow_all_origins: Optional[bool]`
Allows all origins.
- `allow_credentials: Optional[bool]`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: Optional[List[AllowedHeaders]]`
Allowed HTTP request headers.
- `allowed_methods: Optional[List[AllowedMethods]]`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: Optional[List[AllowedOrigins]]`
Allowed origins.
- `max_age: Optional[float]`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[SelfHostedApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class SelfHostedApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class SelfHostedApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[SelfHostedApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[SelfHostedApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SelfHostedApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[SelfHostedApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: str`
Password used to authenticate with the remote SCIM service.
- `scheme: Literal["httpbasic"]`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: str`
User name used to authenticate with the remote SCIM service.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: str`
Token used to authenticate with the remote SCIM service.
- `scheme: Literal["oauthbearertoken"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: str`
URL used to generate the auth code used during token generation.
- `client_id: str`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: str`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: Literal["oauth2"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: str`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: Optional[List[str]]`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: Optional[bool]`
Whether or not this mapping applies to create (POST) operations.
- `delete: Optional[bool]`
Whether or not this mapping applies to DELETE operations.
- `update: Optional[bool]`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class SaaSApplication: …`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[SaaSApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SaaSApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SaaSApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SaaSApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `saas_app: Optional[SaaSApplicationSaaSApp]`
- `class SAMLSaaSApp: …`
- `auth_type: Optional[Literal["saml", "oidc"]]`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: Optional[str]`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: Optional[List[CustomAttribute]]`
- `friendly_name: Optional[str]`
The SAML FriendlyName of the attribute.
- `name: Optional[str]`
The name of the attribute.
- `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: Optional[bool]`
If the attribute is required when building a SAML assertion.
- `source: Optional[CustomAttributeSource]`
- `name: Optional[str]`
The name of the IdP attribute.
- `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]`
A mapping from IdP ID to attribute name.
- `idp_id: Optional[str]`
The UID of the IdP.
- `source_name: Optional[str]`
The name of the IdP provided attribute.
- `default_relay_state: Optional[str]`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: Optional[str]`
The unique identifier for your SaaS application.
- `name_id_format: Optional[SaaSAppNameIDFormat]`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: Optional[str]`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: Optional[str]`
A globally unique name for an identity or service provider.
- `sso_endpoint: Optional[str]`
The endpoint where your SaaS application will send login requests.
- `class OIDCSaaSApp: …`
- `access_token_lifetime: Optional[str]`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: Optional[bool]`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: Optional[str]`
The URL where this applications tile redirects users
- `auth_type: Optional[Literal["saml", "oidc"]]`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: Optional[str]`
The application client id
- `client_secret: Optional[str]`
The application client secret, only returned on POST request.
- `custom_claims: Optional[List[CustomClaim]]`
- `name: Optional[str]`
The name of the claim.
- `required: Optional[bool]`
If the claim is required when building an OIDC token.
- `scope: Optional[Literal["groups", "profile", "email", "openid"]]`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: Optional[CustomClaimSource]`
- `name: Optional[str]`
The name of the IdP claim.
- `name_by_idp: Optional[Dict[str, str]]`
A mapping from IdP ID to claim name.
- `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: Optional[str]`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]`
- `return_access_token_from_authorization_endpoint: Optional[bool]`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: Optional[bool]`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: Optional[List[str]]`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: Optional[RefreshTokenOptions]`
- `lifetime: Optional[str]`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: Optional[SaaSApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SaaSApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: Optional[ApplicationType]`
The application type.
- `class BrowserSSHApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserSSHApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserSSHApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserSSHApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserSSHApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserSSHApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserSSHApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserSSHApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserSSHApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserSSHApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class BrowserVNCApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserVNCApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserVNCApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserVNCApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserVNCApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserVNCApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserVNCApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserVNCApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserVNCApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserVNCApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class AppLauncherApplication: …`
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: Optional[str]`
The image URL of the logo shown in the App Launcher header.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: Optional[str]`
The background color of the App Launcher page.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: Optional[List[AppLauncherApplicationFooterLink]]`
The links in the App Launcher footer.
- `name: str`
The hypertext in the footer link.
- `url: str`
the hyperlink in the footer link.
- `header_bg_color: Optional[str]`
The background color of the App Launcher header.
- `landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: Optional[str]`
The background color of the log in button on the landing page.
- `button_text_color: Optional[str]`
The color of the text in the log in button on the landing page.
- `image_url: Optional[str]`
The URL of the image shown on the landing page.
- `message: Optional[str]`
The message shown on the landing page.
- `title: Optional[str]`
The title shown on the landing page.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[AppLauncherApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[AppLauncherApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: Optional[bool]`
Determines when to skip the App Launcher landing page.
- `class DeviceEnrollmentPermissionsApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class BrowserIsolationPermissionsApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class GatewayIdentityProxyEndpointApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class BookmarkApplication: …`
- `id: Optional[str]`
UUID.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `domain: Optional[str]`
The URL or domain of the bookmark.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[BookmarkApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BookmarkApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: Optional[ApplicationType]`
The application type.
- `class InfrastructureApplication: …`
- `target_criteria: List[InfrastructureApplicationTargetCriterion]`
- `port: int`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: Literal["SSH"]`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: Dict[str, List[str]]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `aud: Optional[str]`
Audience tag.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[InfrastructureApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]`
The rules that define how users may connect to the targets secured by your application.
- `ssh: Optional[InfrastructureApplicationPolicyConnectionRulesSSH]`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: List[str]`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: Optional[bool]`
Enables using Identity Provider email alias as SSH username.
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `name: Optional[str]`
The name of the Access policy.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `updated_at: Optional[datetime]`
- `class BrowserRDPApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: List[BrowserRDPApplicationTargetCriterion]`
- `port: int`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: Literal["RDP"]`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: Dict[str, List[str]]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserRDPApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserRDPApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserRDPApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserRDPApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserRDPApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserRDPApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserRDPApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserRDPApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserRDPApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class McpServerApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[McpServerApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class McpServerApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class McpServerApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class McpServerApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[McpServerApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: Optional[List[McpServerApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[McpServerApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[McpServerApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[McpServerApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[McpServerApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[McpServerApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `class McpServerPortalApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[McpServerPortalApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class McpServerPortalApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class McpServerPortalApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class McpServerPortalApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[McpServerPortalApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: Optional[List[McpServerPortalApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[McpServerPortalApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[McpServerPortalApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Application Update Response
- `ApplicationUpdateResponse`
- `class SelfHostedApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `allow_all_headers: Optional[bool]`
Allows all HTTP request headers.
- `allow_all_methods: Optional[bool]`
Allows all HTTP request methods.
- `allow_all_origins: Optional[bool]`
Allows all origins.
- `allow_credentials: Optional[bool]`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: Optional[List[AllowedHeaders]]`
Allowed HTTP request headers.
- `allowed_methods: Optional[List[AllowedMethods]]`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: Optional[List[AllowedOrigins]]`
Allowed origins.
- `max_age: Optional[float]`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[SelfHostedApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class SelfHostedApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class SelfHostedApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class SelfHostedApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[SelfHostedApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[SelfHostedApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[SelfHostedApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SelfHostedApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[SelfHostedApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: str`
Password used to authenticate with the remote SCIM service.
- `scheme: Literal["httpbasic"]`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: str`
User name used to authenticate with the remote SCIM service.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: str`
Token used to authenticate with the remote SCIM service.
- `scheme: Literal["oauthbearertoken"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: str`
URL used to generate the auth code used during token generation.
- `client_id: str`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: str`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: Literal["oauth2"]`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: str`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: Optional[List[str]]`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: Optional[bool]`
Whether or not this mapping applies to create (POST) operations.
- `delete: Optional[bool]`
Whether or not this mapping applies to DELETE operations.
- `update: Optional[bool]`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class SaaSApplication: …`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[SaaSApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[SaaSApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[SaaSApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[SaaSApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `saas_app: Optional[SaaSApplicationSaaSApp]`
- `class SAMLSaaSApp: …`
- `auth_type: Optional[Literal["saml", "oidc"]]`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: Optional[str]`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: Optional[List[CustomAttribute]]`
- `friendly_name: Optional[str]`
The SAML FriendlyName of the attribute.
- `name: Optional[str]`
The name of the attribute.
- `name_format: Optional[Literal["urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"]]`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: Optional[bool]`
If the attribute is required when building a SAML assertion.
- `source: Optional[CustomAttributeSource]`
- `name: Optional[str]`
The name of the IdP attribute.
- `name_by_idp: Optional[List[CustomAttributeSourceNameByIdP]]`
A mapping from IdP ID to attribute name.
- `idp_id: Optional[str]`
The UID of the IdP.
- `source_name: Optional[str]`
The name of the IdP provided attribute.
- `default_relay_state: Optional[str]`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: Optional[str]`
The unique identifier for your SaaS application.
- `name_id_format: Optional[SaaSAppNameIDFormat]`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: Optional[str]`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: Optional[str]`
A globally unique name for an identity or service provider.
- `sso_endpoint: Optional[str]`
The endpoint where your SaaS application will send login requests.
- `class OIDCSaaSApp: …`
- `access_token_lifetime: Optional[str]`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: Optional[bool]`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: Optional[str]`
The URL where this applications tile redirects users
- `auth_type: Optional[Literal["saml", "oidc"]]`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: Optional[str]`
The application client id
- `client_secret: Optional[str]`
The application client secret, only returned on POST request.
- `custom_claims: Optional[List[CustomClaim]]`
- `name: Optional[str]`
The name of the claim.
- `required: Optional[bool]`
If the claim is required when building an OIDC token.
- `scope: Optional[Literal["groups", "profile", "email", "openid"]]`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: Optional[CustomClaimSource]`
- `name: Optional[str]`
The name of the IdP claim.
- `name_by_idp: Optional[Dict[str, str]]`
A mapping from IdP ID to claim name.
- `grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: Optional[str]`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: Optional[HybridAndImplicitOptions]`
- `return_access_token_from_authorization_endpoint: Optional[bool]`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: Optional[bool]`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: Optional[str]`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: Optional[List[str]]`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: Optional[RefreshTokenOptions]`
- `lifetime: Optional[str]`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: Optional[List[Literal["openid", "groups", "email", "profile"]]]`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: Optional[SaaSApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[SaaSApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: Optional[ApplicationType]`
The application type.
- `class BrowserSSHApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserSSHApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserSSHApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserSSHApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserSSHApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserSSHApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserSSHApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserSSHApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserSSHApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserSSHApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class BrowserVNCApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserVNCApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserVNCApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserVNCApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserVNCApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserVNCApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserVNCApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserVNCApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserVNCApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserVNCApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class AppLauncherApplication: …`
- `type: Literal["self_hosted", "saas", "ssh", 11 more]`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: Optional[str]`
The image URL of the logo shown in the App Launcher header.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: Optional[str]`
The background color of the App Launcher page.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: Optional[List[AppLauncherApplicationFooterLink]]`
The links in the App Launcher footer.
- `name: str`
The hypertext in the footer link.
- `url: str`
the hyperlink in the footer link.
- `header_bg_color: Optional[str]`
The background color of the App Launcher header.
- `landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: Optional[str]`
The background color of the log in button on the landing page.
- `button_text_color: Optional[str]`
The color of the text in the log in button on the landing page.
- `image_url: Optional[str]`
The URL of the image shown on the landing page.
- `message: Optional[str]`
The message shown on the landing page.
- `title: Optional[str]`
The title shown on the landing page.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[AppLauncherApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[AppLauncherApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: Optional[bool]`
Determines when to skip the App Launcher landing page.
- `class DeviceEnrollmentPermissionsApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class BrowserIsolationPermissionsApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class GatewayIdentityProxyEndpointApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `domain: Optional[str]`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `class BookmarkApplication: …`
- `id: Optional[str]`
UUID.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `domain: Optional[str]`
The URL or domain of the bookmark.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[BookmarkApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BookmarkApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: Optional[ApplicationType]`
The application type.
- `class InfrastructureApplication: …`
- `target_criteria: List[InfrastructureApplicationTargetCriterion]`
- `port: int`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: Literal["SSH"]`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: Dict[str, List[str]]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `aud: Optional[str]`
Audience tag.
- `name: Optional[str]`
The name of the application.
- `policies: Optional[List[InfrastructureApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]`
The rules that define how users may connect to the targets secured by your application.
- `ssh: Optional[InfrastructureApplicationPolicyConnectionRulesSSH]`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: List[str]`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: Optional[bool]`
Enables using Identity Provider email alias as SSH username.
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `name: Optional[str]`
The name of the Access policy.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `updated_at: Optional[datetime]`
- `class BrowserRDPApplication: …`
- `domain: str`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: List[BrowserRDPApplicationTargetCriterion]`
- `port: int`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: Literal["RDP"]`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: Dict[str, List[str]]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: Optional[CORSHeaders]`
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[BrowserRDPApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class BrowserRDPApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class BrowserRDPApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class BrowserRDPApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: Optional[bool]`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: Optional[BrowserRDPApplicationMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[BrowserRDPApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: Optional[bool]`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: Optional[List[BrowserRDPApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[BrowserRDPApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `read_service_tokens_from_header: Optional[str]`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[BrowserRDPApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: Optional[List[SelfHostedDomains]]`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: Optional[bool]`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: Optional[bool]`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `class McpServerApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[McpServerApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class McpServerApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class McpServerApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class McpServerApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[McpServerApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: Optional[List[McpServerApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[McpServerApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[McpServerApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[McpServerApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[McpServerApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[McpServerApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `class McpServerPortalApplication: …`
- `type: ApplicationType`
The application type.
- `id: Optional[str]`
UUID.
- `allow_authenticate_via_warp: Optional[bool]`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: Optional[List[AllowedIdPs]]`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: Optional[str]`
Audience tag.
- `auto_redirect_to_identity: Optional[bool]`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: Optional[str]`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: Optional[str]`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: Optional[List[str]]`
The custom pages that will be displayed when applicable for this application
- `destinations: Optional[List[McpServerPortalApplicationDestination]]`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `class McpServerPortalApplicationDestinationPublicDestination: …`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: Optional[Literal["public"]]`
- `"public"`
- `uri: Optional[str]`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `class McpServerPortalApplicationDestinationPrivateDestination: …`
- `cidr: Optional[str]`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: Optional[str]`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: Optional[Literal["tcp", "udp"]]`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: Optional[str]`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: Optional[Literal["private"]]`
- `"private"`
- `vnet_id: Optional[str]`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `class McpServerPortalApplicationDestinationViaMcpServerPortalDestination: …`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: Optional[str]`
The MCP server id configured in ai-controls.
- `type: Optional[Literal["via_mcp_server_portal"]]`
- `"via_mcp_server_portal"`
- `domain: Optional[str]`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: Optional[bool]`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the application.
- `oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: Optional[bool]`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: Optional[bool]`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: Optional[List[str]]`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: Optional[bool]`
Whether dynamic client registration is enabled.
- `enabled: Optional[bool]`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: Optional[McpServerPortalApplicationOAuthConfigurationGrant]`
Settings for OAuth grant behavior.
- `access_token_lifetime: Optional[str]`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: Optional[str]`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: Optional[bool]`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: Optional[List[McpServerPortalApplicationPolicy]]`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[McpServerPortalApplicationPolicyConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
- `same_site_cookie_attribute: Optional[str]`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: Optional[McpServerPortalApplicationSCIMConfig]`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: str`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: str`
The base URI for the application's SCIM-compatible API.
- `authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]`
Multiple authentication schemes
- `class SCIMConfigAuthenticationHTTPBasic: …`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOAuthBearerToken: …`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `class SCIMConfigAuthenticationOauth2: …`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: str`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: str`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: Literal["access_service_token"]`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: Optional[bool]`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: Optional[bool]`
Whether SCIM provisioning is turned on for this application.
- `mappings: Optional[List[SCIMConfigMapping]]`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: str`
Which SCIM resource type this mapping applies to.
- `enabled: Optional[bool]`
Whether or not this mapping is enabled.
- `filter: Optional[str]`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: Optional[Operations]`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: Optional[Literal["strict", "passthrough"]]`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: Optional[str]`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: Optional[List[str]]`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Application Delete Response
- `class ApplicationDeleteResponse: …`
- `id: Optional[str]`
UUID.
# CAs
## List short-lived certificate CAs
`zero_trust.access.applications.cas.list(CAListParams**kwargs) -> SyncV4PagePaginationArray[CA]`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/ca`
Lists short-lived certificate CAs and their public keys.
### Parameters
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `page: Optional[int]`
Page number of results.
- `per_page: Optional[int]`
Number of results per page.
### Returns
- `class CA: …`
- `id: Optional[str]`
The ID of the CA.
- `aud: Optional[str]`
The Application Audience (AUD) tag. Identifies the application associated with the CA.
- `public_key: Optional[str]`
The public key to add to your SSH server configuration.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.applications.cas.list(
account_id="account_id",
)
page = page.result[0]
print(page.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9",
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get a short-lived certificate CA
`zero_trust.access.applications.cas.get(strapp_id, CAGetParams**kwargs) -> CA`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca`
Fetches a short-lived certificate CA and its public key.
### Parameters
- `app_id: str`
UUID.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `class CA: …`
- `id: Optional[str]`
The ID of the CA.
- `aud: Optional[str]`
The Application Audience (AUD) tag. Identifies the application associated with the CA.
- `public_key: Optional[str]`
The public key to add to your SSH server configuration.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
ca = client.zero_trust.access.applications.cas.get(
app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="account_id",
)
print(ca.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9",
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org"
}
}
```
## Create a short-lived certificate CA
`zero_trust.access.applications.cas.create(strapp_id, CACreateParams**kwargs) -> CA`
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca`
Generates a new short-lived certificate CA and public key.
### Parameters
- `app_id: str`
UUID.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `class CA: …`
- `id: Optional[str]`
The ID of the CA.
- `aud: Optional[str]`
The Application Audience (AUD) tag. Identifies the application associated with the CA.
- `public_key: Optional[str]`
The public key to add to your SSH server configuration.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
ca = client.zero_trust.access.applications.cas.create(
app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="account_id",
)
print(ca.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9",
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org"
}
}
```
## Delete a short-lived certificate CA
`zero_trust.access.applications.cas.delete(strapp_id, CADeleteParams**kwargs) -> CADeleteResponse`
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca`
Deletes a short-lived certificate CA.
### Parameters
- `app_id: str`
UUID.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `class CADeleteResponse: …`
- `id: Optional[str]`
The ID of the CA.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
ca = client.zero_trust.access.applications.cas.delete(
app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="account_id",
)
print(ca.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9"
}
}
```
## Domain Types
### CA
- `class CA: …`
- `id: Optional[str]`
The ID of the CA.
- `aud: Optional[str]`
The Application Audience (AUD) tag. Identifies the application associated with the CA.
- `public_key: Optional[str]`
The public key to add to your SSH server configuration.
### CA Delete Response
- `class CADeleteResponse: …`
- `id: Optional[str]`
The ID of the CA.
# User Policy Checks
## Test Access policies
`zero_trust.access.applications.user_policy_checks.list(AppIDapp_id, UserPolicyCheckListParams**kwargs) -> UserPolicyCheckListResponse`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/user_policy_checks`
Tests if a specific user has permission to access an application.
### Parameters
- `app_id: AppID`
Identifier.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `class UserPolicyCheckListResponse: …`
- `app_state: Optional[AppState]`
- `app_uid: Optional[str]`
UUID.
- `aud: Optional[str]`
- `hostname: Optional[str]`
- `name: Optional[str]`
- `policies: Optional[List[object]]`
- `status: Optional[str]`
- `user_identity: Optional[UserIdentity]`
- `id: Optional[str]`
- `account_id: Optional[str]`
- `device_sessions: Optional[object]`
- `email: Optional[str]`
- `geo: Optional[UserPolicyCheckGeo]`
- `country: Optional[str]`
- `iat: Optional[int]`
- `is_gateway: Optional[bool]`
- `is_warp: Optional[bool]`
- `name: Optional[str]`
- `user_uuid: Optional[str]`
UUID.
- `version: Optional[int]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
user_policy_checks = client.zero_trust.access.applications.user_policy_checks.list(
app_id="023e105f4ecef8ad9ca31a8372d0c353",
account_id="account_id",
)
print(user_policy_checks.user_identity)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"app_state": {
"app_uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe389",
"hostname": "test.com",
"name": "Test App",
"policies": [
{
"decision": "allow",
"exclude": [],
"include": [
{
"_type": "email",
"email": "testuser@gmail.com"
}
],
"precedence": 1,
"require": [],
"status": "Success"
}
],
"status": "Success"
},
"user_identity": {
"id": "1164449231815010287495",
"account_id": "41ecfbb341f033e52b46742756aabb8b",
"device_sessions": {},
"email": "testuser@gmail.com",
"geo": {
"country": "US"
},
"iat": 0,
"is_gateway": false,
"is_warp": false,
"name": "Test User",
"user_uuid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"version": 0
}
}
}
```
## Domain Types
### User Policy Check Geo
- `class UserPolicyCheckGeo: …`
- `country: Optional[str]`
### User Policy Check List Response
- `class UserPolicyCheckListResponse: …`
- `app_state: Optional[AppState]`
- `app_uid: Optional[str]`
UUID.
- `aud: Optional[str]`
- `hostname: Optional[str]`
- `name: Optional[str]`
- `policies: Optional[List[object]]`
- `status: Optional[str]`
- `user_identity: Optional[UserIdentity]`
- `id: Optional[str]`
- `account_id: Optional[str]`
- `device_sessions: Optional[object]`
- `email: Optional[str]`
- `geo: Optional[UserPolicyCheckGeo]`
- `country: Optional[str]`
- `iat: Optional[int]`
- `is_gateway: Optional[bool]`
- `is_warp: Optional[bool]`
- `name: Optional[str]`
- `user_uuid: Optional[str]`
UUID.
- `version: Optional[int]`
# Policies
## List Access application policies
`zero_trust.access.applications.policies.list(strapp_id, PolicyListParams**kwargs) -> SyncV4PagePaginationArray[PolicyListResponse]`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies`
Lists Access policies configured for an application. Returns both exclusively scoped and reusable policies used by the application.
### Parameters
- `app_id: str`
UUID.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `page: Optional[int]`
Page number of results.
- `per_page: Optional[int]`
Number of results per page.
### Returns
- `class PolicyListResponse: …`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.applications.policies.list(
app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="account_id",
)
page = page.result[0]
print(page.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get an Access application policy
`zero_trust.access.applications.policies.get(strpolicy_id, PolicyGetParams**kwargs) -> PolicyGetResponse`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}`
Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application.
### Parameters
- `app_id: str`
UUID.
- `policy_id: str`
UUID.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `class PolicyGetResponse: …`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_email=os.environ.get("CLOUDFLARE_EMAIL"), # This is the default and can be omitted
api_key=os.environ.get("CLOUDFLARE_API_KEY"), # This is the default and can be omitted
)
policy = client.zero_trust.access.applications.policies.get(
policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="account_id",
)
print(policy.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create an Access application policy
`zero_trust.access.applications.policies.create(strapp_id, PolicyCreateParams**kwargs) -> PolicyCreateResponse`
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies`
Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array.
### Parameters
- `app_id: str`
UUID.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `approval_groups: Optional[Iterable[ApprovalGroupParam]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
### Returns
- `class PolicyCreateResponse: …`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
policy = client.zero_trust.access.applications.policies.create(
app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="account_id",
)
print(policy.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update an Access application policy
`zero_trust.access.applications.policies.update(strpolicy_id, PolicyUpdateParams**kwargs) -> PolicyUpdateResponse`
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}`
Updates an Access policy specific to an application. To update a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.
### Parameters
- `app_id: str`
UUID.
- `policy_id: str`
UUID.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `approval_groups: Optional[Iterable[ApprovalGroupParam]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
### Returns
- `class PolicyUpdateResponse: …`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
policy = client.zero_trust.access.applications.policies.update(
policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="account_id",
)
print(policy.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete an Access application policy
`zero_trust.access.applications.policies.delete(strpolicy_id, PolicyDeleteParams**kwargs) -> PolicyDeleteResponse`
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}`
Deletes an Access policy specific to an application. To delete a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.
### Parameters
- `app_id: str`
UUID.
- `policy_id: str`
UUID.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `class PolicyDeleteResponse: …`
- `id: Optional[str]`
UUID.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
policy = client.zero_trust.access.applications.policies.delete(
policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="account_id",
)
print(policy.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Access Device Posture Rule
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
### Access Rule
- `AccessRule`
Matches an Access group.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
### Any Valid Service Token Rule
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
### Authentication Method Rule
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
### Azure Group Rule
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
### Certificate Rule
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
### Country Rule
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
### Domain Rule
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
### Email List Rule
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
### Email Rule
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
### Everyone Rule
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
### External Evaluation Rule
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
### GitHub Organization Rule
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
### Group Rule
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
### GSuite Group Rule
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
### IP List Rule
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
### IP Rule
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
### Okta Group Rule
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
### SAML Group Rule
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
### Service Token Rule
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
### Policy List Response
- `class PolicyListResponse: …`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Policy Get Response
- `class PolicyGetResponse: …`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Policy Create Response
- `class PolicyCreateResponse: …`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Policy Update Response
- `class PolicyUpdateResponse: …`
- `id: Optional[str]`
The UUID of the policy
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Policy Delete Response
- `class PolicyDeleteResponse: …`
- `id: Optional[str]`
UUID.
# Policy Tests
## Get the current status of a given Access policy test
`zero_trust.access.applications.policy_tests.get(strpolicy_test_id, PolicyTestGetParams**kwargs) -> PolicyTestGetResponse`
**get** `/accounts/{account_id}/access/policy-tests/{policy_test_id}`
Fetches the current status of a given Access policy test.
### Parameters
- `account_id: str`
Identifier.
- `policy_test_id: str`
The UUID of the policy test.
### Returns
- `class PolicyTestGetResponse: …`
- `id: Optional[str]`
The UUID of the policy test.
- `percent_approved: Optional[int]`
The percentage of (processed) users approved based on policy evaluation results.
- `percent_blocked: Optional[int]`
The percentage of (processed) users blocked based on policy evaluation results.
- `percent_errored: Optional[int]`
The percentage of (processed) users errored based on policy evaluation results.
- `percent_users_processed: Optional[int]`
The percentage of users processed so far (of the entire user base).
- `status: Optional[Literal["blocked", "processing", "exceeded time", "complete"]]`
The status of the policy test.
- `"blocked"`
- `"processing"`
- `"exceeded time"`
- `"complete"`
- `total_users: Optional[int]`
The total number of users in the user base.
- `users_approved: Optional[int]`
The number of (processed) users approved based on policy evaluation results.
- `users_blocked: Optional[int]`
The number of (processed) users blocked based on policy evaluation results.
- `users_errored: Optional[int]`
The number of (processed) users errored based on policy evaluation results.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
policy_test = client.zero_trust.access.applications.policy_tests.get(
policy_test_id="f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(policy_test.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6",
"percent_approved": 25,
"percent_blocked": 25,
"percent_errored": 25,
"percent_users_processed": 50,
"status": "complete",
"total_users": 20,
"users_approved": 5,
"users_blocked": 5,
"users_errored": 5
}
}
```
## Start Access policy test
`zero_trust.access.applications.policy_tests.create(PolicyTestCreateParams**kwargs) -> PolicyTestCreateResponse`
**post** `/accounts/{account_id}/access/policy-tests`
Starts an Access policy test.
### Parameters
- `account_id: str`
Identifier.
- `policies: Optional[SequenceNotStr[Policy]]`
- `class PolicyUnionMember0: …`
- `decision: Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `include: Iterable[AccessRuleParam]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `name: str`
The name of the Access policy.
- `approval_groups: Optional[Iterable[ApprovalGroupParam]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[PolicyUnionMember0ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[PolicyUnionMember0ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `exclude: Optional[Iterable[AccessRuleParam]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[PolicyUnionMember0MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[Iterable[AccessRuleParam]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `str`
The UUID of the reusable policy you wish to test
### Returns
- `class PolicyTestCreateResponse: …`
- `id: Optional[str]`
The UUID of the policy test.
- `status: Optional[Literal["success"]]`
The status of the policy test request.
- `"success"`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
policy_test = client.zero_trust.access.applications.policy_tests.create(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(policy_test.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6",
"status": "success"
}
}
```
## Domain Types
### Policy Test Get Response
- `class PolicyTestGetResponse: …`
- `id: Optional[str]`
The UUID of the policy test.
- `percent_approved: Optional[int]`
The percentage of (processed) users approved based on policy evaluation results.
- `percent_blocked: Optional[int]`
The percentage of (processed) users blocked based on policy evaluation results.
- `percent_errored: Optional[int]`
The percentage of (processed) users errored based on policy evaluation results.
- `percent_users_processed: Optional[int]`
The percentage of users processed so far (of the entire user base).
- `status: Optional[Literal["blocked", "processing", "exceeded time", "complete"]]`
The status of the policy test.
- `"blocked"`
- `"processing"`
- `"exceeded time"`
- `"complete"`
- `total_users: Optional[int]`
The total number of users in the user base.
- `users_approved: Optional[int]`
The number of (processed) users approved based on policy evaluation results.
- `users_blocked: Optional[int]`
The number of (processed) users blocked based on policy evaluation results.
- `users_errored: Optional[int]`
The number of (processed) users errored based on policy evaluation results.
### Policy Test Create Response
- `class PolicyTestCreateResponse: …`
- `id: Optional[str]`
The UUID of the policy test.
- `status: Optional[Literal["success"]]`
The status of the policy test request.
- `"success"`
# Users
## Get an Access policy test users page
`zero_trust.access.applications.policy_tests.users.list(strpolicy_test_id, UserListParams**kwargs) -> SyncV4PagePaginationArray[UserListResponse]`
**get** `/accounts/{account_id}/access/policy-tests/{policy_test_id}/users`
Fetches a single page of user results from an Access policy test.
### Parameters
- `account_id: str`
Identifier.
- `policy_test_id: str`
The UUID of the policy test.
- `page: Optional[int]`
Page number of results.
- `per_page: Optional[int]`
- `status: Optional[Literal["success", "fail", "error"]]`
Filter users by their policy evaluation status.
- `"success"`
- `"fail"`
- `"error"`
### Returns
- `class UserListResponse: …`
- `id: Optional[str]`
UUID.
- `email: Optional[str]`
The email of the user.
- `name: Optional[str]`
The name of the user.
- `status: Optional[Literal["approved", "blocked", "error"]]`
Policy evaluation result for an individual user.
- `"approved"`
- `"blocked"`
- `"error"`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.applications.policy_tests.users.list(
policy_test_id="f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
page = page.result[0]
print(page.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"email": "jdoe@example.com",
"name": "Jane Doe",
"status": "approved"
}
]
}
```
## Domain Types
### User List Response
- `class UserListResponse: …`
- `id: Optional[str]`
UUID.
- `email: Optional[str]`
The email of the user.
- `name: Optional[str]`
The name of the user.
- `status: Optional[Literal["approved", "blocked", "error"]]`
Policy evaluation result for an individual user.
- `"approved"`
- `"blocked"`
- `"error"`
# Settings
## Update Access application settings
`zero_trust.access.applications.settings.update(AppIDapp_id, SettingUpdateParams**kwargs) -> SettingUpdateResponse`
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings`
Updates Access application settings.
### Parameters
- `app_id: AppID`
Identifier.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
### Returns
- `class SettingUpdateResponse: …`
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
setting = client.zero_trust.access.applications.settings.update(
app_id="023e105f4ecef8ad9ca31a8372d0c353",
account_id="account_id",
)
print(setting.allow_iframe)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"allow_iframe": true,
"skip_interstitial": true
}
}
```
## Update Access application settings
`zero_trust.access.applications.settings.edit(AppIDapp_id, SettingEditParams**kwargs) -> SettingEditResponse`
**patch** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings`
Updates Access application settings.
### Parameters
- `app_id: AppID`
Identifier.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
### Returns
- `class SettingEditResponse: …`
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
response = client.zero_trust.access.applications.settings.edit(
app_id="023e105f4ecef8ad9ca31a8372d0c353",
account_id="account_id",
)
print(response.allow_iframe)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"allow_iframe": true,
"skip_interstitial": true
}
}
```
## Domain Types
### Setting Update Response
- `class SettingUpdateResponse: …`
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
### Setting Edit Response
- `class SettingEditResponse: …`
- `allow_iframe: Optional[bool]`
Enables loading application content in an iFrame.
- `skip_interstitial: Optional[bool]`
Enables automatic authentication through cloudflared.
# Certificates
## List mTLS certificates
`zero_trust.access.certificates.list(CertificateListParams**kwargs) -> SyncV4PagePaginationArray[Certificate]`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates`
Lists all mTLS root certificates.
### Parameters
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `page: Optional[int]`
Page number of results.
- `per_page: Optional[int]`
Number of results per page.
### Returns
- `class Certificate: …`
- `id: Optional[str]`
The ID of the application that will use this certificate.
- `associated_hostnames: Optional[List[AssociatedHostnames]]`
The hostnames of the applications that will use this certificate.
- `expires_on: Optional[datetime]`
- `fingerprint: Optional[str]`
The MD5 fingerprint of the certificate.
- `name: Optional[str]`
The name of the certificate.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.certificates.list(
account_id="account_id",
)
page = page.result[0]
print(page.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "id",
"associated_hostnames": [
"admin.example.com"
],
"created_at": "2014-01-01T05:20:00.12345Z",
"expires_on": "2014-01-01T05:20:00.12345Z",
"fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91",
"name": "Allow devs",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get an mTLS certificate
`zero_trust.access.certificates.get(strcertificate_id, CertificateGetParams**kwargs) -> Certificate`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}`
Fetches a single mTLS certificate.
### Parameters
- `certificate_id: str`
UUID.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `class Certificate: …`
- `id: Optional[str]`
The ID of the application that will use this certificate.
- `associated_hostnames: Optional[List[AssociatedHostnames]]`
The hostnames of the applications that will use this certificate.
- `expires_on: Optional[datetime]`
- `fingerprint: Optional[str]`
The MD5 fingerprint of the certificate.
- `name: Optional[str]`
The name of the certificate.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
certificate = client.zero_trust.access.certificates.get(
certificate_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="account_id",
)
print(certificate.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"associated_hostnames": [
"admin.example.com"
],
"created_at": "2014-01-01T05:20:00.12345Z",
"expires_on": "2014-01-01T05:20:00.12345Z",
"fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91",
"name": "Allow devs",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Add an mTLS certificate
`zero_trust.access.certificates.create(CertificateCreateParams**kwargs) -> Certificate`
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates`
Adds a new mTLS root certificate to Access.
### Parameters
- `certificate: str`
The certificate content.
- `name: str`
The name of the certificate.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `associated_hostnames: Optional[SequenceNotStr[AssociatedHostnames]]`
The hostnames of the applications that will use this certificate.
### Returns
- `class Certificate: …`
- `id: Optional[str]`
The ID of the application that will use this certificate.
- `associated_hostnames: Optional[List[AssociatedHostnames]]`
The hostnames of the applications that will use this certificate.
- `expires_on: Optional[datetime]`
- `fingerprint: Optional[str]`
The MD5 fingerprint of the certificate.
- `name: Optional[str]`
The name of the certificate.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
certificate = client.zero_trust.access.certificates.create(
certificate="-----BEGIN CERTIFICATE-----\nMIIGAjCCA+qgAwIBAgIJAI7kymlF7CWT...N4RI7KKB7nikiuUf8vhULKy5IX10\nDrUtmu/B\n-----END CERTIFICATE-----",
name="Allow devs",
account_id="account_id",
)
print(certificate.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"associated_hostnames": [
"admin.example.com"
],
"created_at": "2014-01-01T05:20:00.12345Z",
"expires_on": "2014-01-01T05:20:00.12345Z",
"fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91",
"name": "Allow devs",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update an mTLS certificate
`zero_trust.access.certificates.update(strcertificate_id, CertificateUpdateParams**kwargs) -> Certificate`
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}`
Updates a configured mTLS certificate.
### Parameters
- `certificate_id: str`
UUID.
- `associated_hostnames: SequenceNotStr[AssociatedHostnames]`
The hostnames of the applications that will use this certificate.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `name: Optional[str]`
The name of the certificate.
### Returns
- `class Certificate: …`
- `id: Optional[str]`
The ID of the application that will use this certificate.
- `associated_hostnames: Optional[List[AssociatedHostnames]]`
The hostnames of the applications that will use this certificate.
- `expires_on: Optional[datetime]`
- `fingerprint: Optional[str]`
The MD5 fingerprint of the certificate.
- `name: Optional[str]`
The name of the certificate.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
certificate = client.zero_trust.access.certificates.update(
certificate_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
associated_hostnames=["admin.example.com"],
account_id="account_id",
)
print(certificate.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"associated_hostnames": [
"admin.example.com"
],
"created_at": "2014-01-01T05:20:00.12345Z",
"expires_on": "2014-01-01T05:20:00.12345Z",
"fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91",
"name": "Allow devs",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete an mTLS certificate
`zero_trust.access.certificates.delete(strcertificate_id, CertificateDeleteParams**kwargs) -> CertificateDeleteResponse`
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}`
Deletes an mTLS certificate.
### Parameters
- `certificate_id: str`
UUID.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `class CertificateDeleteResponse: …`
- `id: Optional[str]`
UUID.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
certificate = client.zero_trust.access.certificates.delete(
certificate_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="account_id",
)
print(certificate.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Associated Hostnames
- `str`
A fully-qualified domain name (FQDN).
### Certificate
- `class Certificate: …`
- `id: Optional[str]`
The ID of the application that will use this certificate.
- `associated_hostnames: Optional[List[AssociatedHostnames]]`
The hostnames of the applications that will use this certificate.
- `expires_on: Optional[datetime]`
- `fingerprint: Optional[str]`
The MD5 fingerprint of the certificate.
- `name: Optional[str]`
The name of the certificate.
### Certificate Delete Response
- `class CertificateDeleteResponse: …`
- `id: Optional[str]`
UUID.
# Settings
## List all mTLS hostname settings
`zero_trust.access.certificates.settings.get(SettingGetParams**kwargs) -> SyncSinglePage[CertificateSettings]`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/settings`
List all mTLS hostname settings for this account or zone.
### Parameters
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `class CertificateSettings: …`
- `china_network: bool`
Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.
- `client_certificate_forwarding: bool`
Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.
- `hostname: str`
The hostname that these settings apply to.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.certificates.settings.get(
account_id="account_id",
)
page = page.result[0]
print(page.china_network)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"china_network": false,
"client_certificate_forwarding": true,
"hostname": "admin.example.com"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Update an mTLS certificate's hostname settings
`zero_trust.access.certificates.settings.update(SettingUpdateParams**kwargs) -> SyncSinglePage[CertificateSettings]`
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/settings`
Updates an mTLS certificate's hostname settings.
### Parameters
- `settings: Iterable[CertificateSettingsParam]`
- `china_network: bool`
Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.
- `client_certificate_forwarding: bool`
Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.
- `hostname: str`
The hostname that these settings apply to.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `class CertificateSettings: …`
- `china_network: bool`
Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.
- `client_certificate_forwarding: bool`
Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.
- `hostname: str`
The hostname that these settings apply to.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.certificates.settings.update(
settings=[{
"china_network": False,
"client_certificate_forwarding": True,
"hostname": "admin.example.com",
}],
account_id="account_id",
)
page = page.result[0]
print(page.china_network)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"china_network": false,
"client_certificate_forwarding": true,
"hostname": "admin.example.com"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Domain Types
### Certificate Settings
- `class CertificateSettings: …`
- `china_network: bool`
Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.
- `client_certificate_forwarding: bool`
Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.
- `hostname: str`
The hostname that these settings apply to.
# Groups
## List Access groups
`zero_trust.access.groups.list(GroupListParams**kwargs) -> SyncV4PagePaginationArray[GroupListResponse]`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/groups`
Lists all Access groups.
### Parameters
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `name: Optional[str]`
The name of the group.
- `page: Optional[int]`
Page number of results.
- `per_page: Optional[int]`
Number of results per page.
- `search: Optional[str]`
Search for groups by other listed query parameters.
### Returns
- `class GroupListResponse: …`
- `id: Optional[str]`
UUID.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `is_default: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `name: Optional[str]`
The name of the Access group.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.groups.list(
account_id="account_id",
)
page = page.result[0]
print(page.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"created_at": "2014-01-01T05:20:00.12345Z",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"is_default": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"name": "Allow devs",
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get an Access group
`zero_trust.access.groups.get(strgroup_id, GroupGetParams**kwargs) -> GroupGetResponse`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}`
Fetches a single Access group.
### Parameters
- `group_id: str`
UUID.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `class GroupGetResponse: …`
- `id: Optional[str]`
UUID.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `is_default: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `name: Optional[str]`
The name of the Access group.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
group = client.zero_trust.access.groups.get(
group_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="account_id",
)
print(group.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"created_at": "2014-01-01T05:20:00.12345Z",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"is_default": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"name": "Allow devs",
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create an Access group
`zero_trust.access.groups.create(GroupCreateParams**kwargs) -> GroupCreateResponse`
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/groups`
Creates a new Access group.
### Parameters
- `include: Iterable[AccessRuleParam]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `name: str`
The name of the Access group.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `exclude: Optional[Iterable[AccessRuleParam]]`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `is_default: Optional[bool]`
Whether this is the default group
- `require: Optional[Iterable[AccessRuleParam]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
### Returns
- `class GroupCreateResponse: …`
- `id: Optional[str]`
UUID.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `is_default: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `name: Optional[str]`
The name of the Access group.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
group = client.zero_trust.access.groups.create(
include=[{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}],
name="Allow devs",
account_id="account_id",
)
print(group.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"created_at": "2014-01-01T05:20:00.12345Z",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"is_default": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"name": "Allow devs",
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update an Access group
`zero_trust.access.groups.update(strgroup_id, GroupUpdateParams**kwargs) -> GroupUpdateResponse`
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}`
Updates a configured Access group.
### Parameters
- `group_id: str`
UUID.
- `include: Iterable[AccessRuleParam]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `name: str`
The name of the Access group.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `exclude: Optional[Iterable[AccessRuleParam]]`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `is_default: Optional[bool]`
Whether this is the default group
- `require: Optional[Iterable[AccessRuleParam]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
### Returns
- `class GroupUpdateResponse: …`
- `id: Optional[str]`
UUID.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `is_default: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `name: Optional[str]`
The name of the Access group.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
group = client.zero_trust.access.groups.update(
group_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
include=[{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}],
name="Allow devs",
account_id="account_id",
)
print(group.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"created_at": "2014-01-01T05:20:00.12345Z",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"is_default": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"name": "Allow devs",
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete an Access group
`zero_trust.access.groups.delete(strgroup_id, GroupDeleteParams**kwargs) -> GroupDeleteResponse`
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}`
Deletes an Access group.
### Parameters
- `group_id: str`
UUID.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `class GroupDeleteResponse: …`
- `id: Optional[str]`
UUID.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
group = client.zero_trust.access.groups.delete(
group_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="account_id",
)
print(group.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Zero Trust Group
- `class ZeroTrustGroup: …`
- `id: Optional[str]`
The unique Cloudflare-generated Id of the SCIM resource.
- `display_name: Optional[str]`
The display name of the SCIM Group resource.
- `external_id: Optional[str]`
The IdP-generated Id of the SCIM resource.
- `meta: Optional[Meta]`
The metadata of the SCIM resource.
- `created: Optional[datetime]`
The timestamp of when the SCIM resource was created.
- `last_modified: Optional[datetime]`
The timestamp of when the SCIM resource was last modified.
- `schemas: Optional[List[str]]`
The list of URIs which indicate the attributes contained within a SCIM resource.
### Group List Response
- `class GroupListResponse: …`
- `id: Optional[str]`
UUID.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `is_default: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `name: Optional[str]`
The name of the Access group.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
### Group Get Response
- `class GroupGetResponse: …`
- `id: Optional[str]`
UUID.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `is_default: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `name: Optional[str]`
The name of the Access group.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
### Group Create Response
- `class GroupCreateResponse: …`
- `id: Optional[str]`
UUID.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `is_default: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `name: Optional[str]`
The name of the Access group.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
### Group Update Response
- `class GroupUpdateResponse: …`
- `id: Optional[str]`
UUID.
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `is_default: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `name: Optional[str]`
The name of the Access group.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
### Group Delete Response
- `class GroupDeleteResponse: …`
- `id: Optional[str]`
UUID.
# Service Tokens
## List service tokens
`zero_trust.access.service_tokens.list(ServiceTokenListParams**kwargs) -> SyncV4PagePaginationArray[ServiceToken]`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens`
Lists all service tokens.
### Parameters
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `name: Optional[str]`
The name of the service token.
- `page: Optional[int]`
Page number of results.
- `per_page: Optional[int]`
Number of results per page.
- `search: Optional[str]`
Search for service tokens by other listed query parameters.
### Returns
- `class ServiceToken: …`
- `id: Optional[str]`
The ID of the service token.
- `client_id: Optional[str]`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `duration: Optional[str]`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `expires_at: Optional[datetime]`
- `name: Optional[str]`
The name of the service token.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.service_tokens.list(
account_id="account_id",
)
page = page.result[0]
print(page.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"expires_at": "2014-01-01T05:20:00.12345Z",
"last_seen_at": "2014-01-01T05:20:00.12345Z",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get a service token
`zero_trust.access.service_tokens.get(strservice_token_id, ServiceTokenGetParams**kwargs) -> ServiceToken`
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}`
Fetches a single service token.
### Parameters
- `service_token_id: str`
UUID.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `class ServiceToken: …`
- `id: Optional[str]`
The ID of the service token.
- `client_id: Optional[str]`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `duration: Optional[str]`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `expires_at: Optional[datetime]`
- `name: Optional[str]`
The name of the service token.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
service_token = client.zero_trust.access.service_tokens.get(
service_token_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="account_id",
)
print(service_token.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"expires_at": "2014-01-01T05:20:00.12345Z",
"last_seen_at": "2014-01-01T05:20:00.12345Z",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create a service token
`zero_trust.access.service_tokens.create(ServiceTokenCreateParams**kwargs) -> ServiceTokenCreateResponse`
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens`
Generates a new service token. **Note:** This is the only time you can get the Client Secret. If you lose the Client Secret, you will have to rotate the Client Secret or create a new service token.
### Parameters
- `name: str`
The name of the service token.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `client_secret_version: Optional[float]`
A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`.
- `duration: Optional[str]`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `previous_client_secret_expires_at: Optional[Union[str, datetime]]`
The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise.
### Returns
- `class ServiceTokenCreateResponse: …`
- `id: Optional[str]`
The ID of the service token.
- `client_id: Optional[str]`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `client_secret: Optional[str]`
The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header.
- `duration: Optional[str]`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `name: Optional[str]`
The name of the service token.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
service_token = client.zero_trust.access.service_tokens.create(
name="CI/CD token",
account_id="account_id",
)
print(service_token.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update a service token
`zero_trust.access.service_tokens.update(strservice_token_id, ServiceTokenUpdateParams**kwargs) -> ServiceToken`
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}`
Updates a configured service token.
### Parameters
- `service_token_id: str`
UUID.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
- `client_secret_version: Optional[float]`
A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`.
- `duration: Optional[str]`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `name: Optional[str]`
The name of the service token.
- `previous_client_secret_expires_at: Optional[Union[str, datetime]]`
The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise.
### Returns
- `class ServiceToken: …`
- `id: Optional[str]`
The ID of the service token.
- `client_id: Optional[str]`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `duration: Optional[str]`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `expires_at: Optional[datetime]`
- `name: Optional[str]`
The name of the service token.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
service_token = client.zero_trust.access.service_tokens.update(
service_token_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="account_id",
)
print(service_token.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"expires_at": "2014-01-01T05:20:00.12345Z",
"last_seen_at": "2014-01-01T05:20:00.12345Z",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete a service token
`zero_trust.access.service_tokens.delete(strservice_token_id, ServiceTokenDeleteParams**kwargs) -> ServiceToken`
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}`
Deletes a service token.
### Parameters
- `service_token_id: str`
UUID.
- `account_id: Optional[str]`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: Optional[str]`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `class ServiceToken: …`
- `id: Optional[str]`
The ID of the service token.
- `client_id: Optional[str]`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `duration: Optional[str]`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `expires_at: Optional[datetime]`
- `name: Optional[str]`
The name of the service token.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
service_token = client.zero_trust.access.service_tokens.delete(
service_token_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="account_id",
)
print(service_token.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"expires_at": "2014-01-01T05:20:00.12345Z",
"last_seen_at": "2014-01-01T05:20:00.12345Z",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Refresh a service token
`zero_trust.access.service_tokens.refresh(strservice_token_id, ServiceTokenRefreshParams**kwargs) -> ServiceToken`
**post** `/accounts/{account_id}/access/service_tokens/{service_token_id}/refresh`
Refreshes the expiration of a service token.
### Parameters
- `account_id: str`
Identifier.
- `service_token_id: str`
UUID.
### Returns
- `class ServiceToken: …`
- `id: Optional[str]`
The ID of the service token.
- `client_id: Optional[str]`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `duration: Optional[str]`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `expires_at: Optional[datetime]`
- `name: Optional[str]`
The name of the service token.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
service_token = client.zero_trust.access.service_tokens.refresh(
service_token_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(service_token.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"expires_at": "2014-01-01T05:20:00.12345Z",
"last_seen_at": "2014-01-01T05:20:00.12345Z",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Rotate a service token
`zero_trust.access.service_tokens.rotate(strservice_token_id, ServiceTokenRotateParams**kwargs) -> ServiceTokenRotateResponse`
**post** `/accounts/{account_id}/access/service_tokens/{service_token_id}/rotate`
Generates a new Client Secret for a service token and revokes the old one.
### Parameters
- `account_id: str`
Identifier.
- `service_token_id: str`
UUID.
- `previous_client_secret_expires_at: Optional[Union[str, datetime]]`
The expiration of the previous `client_secret`. If not provided, it defaults to the current timestamp in order to immediately expire the previous secret.
### Returns
- `class ServiceTokenRotateResponse: …`
- `id: Optional[str]`
The ID of the service token.
- `client_id: Optional[str]`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `client_secret: Optional[str]`
The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header.
- `duration: Optional[str]`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `name: Optional[str]`
The name of the service token.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
response = client.zero_trust.access.service_tokens.rotate(
service_token_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(response.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Domain Types
### Service Token
- `class ServiceToken: …`
- `id: Optional[str]`
The ID of the service token.
- `client_id: Optional[str]`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `duration: Optional[str]`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `expires_at: Optional[datetime]`
- `name: Optional[str]`
The name of the service token.
### Service Token Create Response
- `class ServiceTokenCreateResponse: …`
- `id: Optional[str]`
The ID of the service token.
- `client_id: Optional[str]`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `client_secret: Optional[str]`
The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header.
- `duration: Optional[str]`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `name: Optional[str]`
The name of the service token.
### Service Token Rotate Response
- `class ServiceTokenRotateResponse: …`
- `id: Optional[str]`
The ID of the service token.
- `client_id: Optional[str]`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `client_secret: Optional[str]`
The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header.
- `duration: Optional[str]`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `name: Optional[str]`
The name of the service token.
# Bookmarks
## List Bookmark applications
`zero_trust.access.bookmarks.list(BookmarkListParams**kwargs) -> SyncSinglePage[Bookmark]`
**get** `/accounts/{account_id}/access/bookmarks`
Lists Bookmark applications.
### Parameters
- `account_id: str`
### Returns
- `class Bookmark: …`
- `id: Optional[str]`
The unique identifier for the Bookmark application.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `domain: Optional[str]`
The domain of the Bookmark application.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the Bookmark application.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.bookmarks.list(
account_id="699d98642c564d2e855e9661899b7252",
)
page = page.result[0]
print(page.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "id",
"app_launcher_visible": true,
"created_at": "2014-01-01T05:20:00.12345Z",
"domain": "example.com",
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"name": "My Website",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get a Bookmark application
`zero_trust.access.bookmarks.get(strbookmark_id, BookmarkGetParams**kwargs) -> Bookmark`
**get** `/accounts/{account_id}/access/bookmarks/{bookmark_id}`
Fetches a single Bookmark application.
### Parameters
- `account_id: str`
- `bookmark_id: str`
UUID.
### Returns
- `class Bookmark: …`
- `id: Optional[str]`
The unique identifier for the Bookmark application.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `domain: Optional[str]`
The domain of the Bookmark application.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the Bookmark application.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
bookmark = client.zero_trust.access.bookmarks.get(
bookmark_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="699d98642c564d2e855e9661899b7252",
)
print(bookmark.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"app_launcher_visible": true,
"created_at": "2014-01-01T05:20:00.12345Z",
"domain": "example.com",
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"name": "My Website",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create a Bookmark application
`zero_trust.access.bookmarks.create(strbookmark_id, BookmarkCreateParams**kwargs) -> Bookmark`
**post** `/accounts/{account_id}/access/bookmarks/{bookmark_id}`
Create a new Bookmark application.
### Parameters
- `account_id: str`
- `bookmark_id: str`
UUID.
- `body: object`
### Returns
- `class Bookmark: …`
- `id: Optional[str]`
The unique identifier for the Bookmark application.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `domain: Optional[str]`
The domain of the Bookmark application.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the Bookmark application.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
bookmark = client.zero_trust.access.bookmarks.create(
bookmark_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="699d98642c564d2e855e9661899b7252",
body={},
)
print(bookmark.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"app_launcher_visible": true,
"created_at": "2014-01-01T05:20:00.12345Z",
"domain": "example.com",
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"name": "My Website",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update a Bookmark application
`zero_trust.access.bookmarks.update(strbookmark_id, BookmarkUpdateParams**kwargs) -> Bookmark`
**put** `/accounts/{account_id}/access/bookmarks/{bookmark_id}`
Updates a configured Bookmark application.
### Parameters
- `account_id: str`
- `bookmark_id: str`
UUID.
- `body: object`
### Returns
- `class Bookmark: …`
- `id: Optional[str]`
The unique identifier for the Bookmark application.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `domain: Optional[str]`
The domain of the Bookmark application.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the Bookmark application.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
bookmark = client.zero_trust.access.bookmarks.update(
bookmark_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="699d98642c564d2e855e9661899b7252",
body={},
)
print(bookmark.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"app_launcher_visible": true,
"created_at": "2014-01-01T05:20:00.12345Z",
"domain": "example.com",
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"name": "My Website",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete a Bookmark application
`zero_trust.access.bookmarks.delete(strbookmark_id, BookmarkDeleteParams**kwargs) -> BookmarkDeleteResponse`
**delete** `/accounts/{account_id}/access/bookmarks/{bookmark_id}`
Deletes a Bookmark application.
### Parameters
- `account_id: str`
- `bookmark_id: str`
UUID.
### Returns
- `class BookmarkDeleteResponse: …`
- `id: Optional[str]`
UUID.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
bookmark = client.zero_trust.access.bookmarks.delete(
bookmark_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="699d98642c564d2e855e9661899b7252",
)
print(bookmark.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Bookmark
- `class Bookmark: …`
- `id: Optional[str]`
The unique identifier for the Bookmark application.
- `app_launcher_visible: Optional[bool]`
Displays the application in the App Launcher.
- `domain: Optional[str]`
The domain of the Bookmark application.
- `logo_url: Optional[str]`
The image URL for the logo shown in the App Launcher dashboard.
- `name: Optional[str]`
The name of the Bookmark application.
### Bookmark Delete Response
- `class BookmarkDeleteResponse: …`
- `id: Optional[str]`
UUID.
# Keys
## Get the Access key configuration
`zero_trust.access.keys.get(KeyGetParams**kwargs) -> KeyGetResponse`
**get** `/accounts/{account_id}/access/keys`
Gets the Access key rotation settings for an account.
### Parameters
- `account_id: str`
Identifier.
### Returns
- `class KeyGetResponse: …`
- `days_until_next_rotation: Optional[float]`
The number of days until the next key rotation.
- `key_rotation_interval_days: Optional[float]`
The number of days between key rotations.
- `last_key_rotation_at: Optional[datetime]`
The timestamp of the previous key rotation.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
key = client.zero_trust.access.keys.get(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(key.days_until_next_rotation)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"days_until_next_rotation": 1,
"key_rotation_interval_days": 30,
"last_key_rotation_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update the Access key configuration
`zero_trust.access.keys.update(KeyUpdateParams**kwargs) -> KeyUpdateResponse`
**put** `/accounts/{account_id}/access/keys`
Updates the Access key rotation settings for an account.
### Parameters
- `account_id: str`
Identifier.
- `key_rotation_interval_days: float`
The number of days between key rotations.
### Returns
- `class KeyUpdateResponse: …`
- `days_until_next_rotation: Optional[float]`
The number of days until the next key rotation.
- `key_rotation_interval_days: Optional[float]`
The number of days between key rotations.
- `last_key_rotation_at: Optional[datetime]`
The timestamp of the previous key rotation.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
key = client.zero_trust.access.keys.update(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
key_rotation_interval_days=30,
)
print(key.days_until_next_rotation)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"days_until_next_rotation": 1,
"key_rotation_interval_days": 30,
"last_key_rotation_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Rotate Access keys
`zero_trust.access.keys.rotate(KeyRotateParams**kwargs) -> KeyRotateResponse`
**post** `/accounts/{account_id}/access/keys/rotate`
Perfoms a key rotation for an account.
### Parameters
- `account_id: str`
Identifier.
### Returns
- `class KeyRotateResponse: …`
- `days_until_next_rotation: Optional[float]`
The number of days until the next key rotation.
- `key_rotation_interval_days: Optional[float]`
The number of days between key rotations.
- `last_key_rotation_at: Optional[datetime]`
The timestamp of the previous key rotation.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
response = client.zero_trust.access.keys.rotate(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(response.days_until_next_rotation)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"days_until_next_rotation": 1,
"key_rotation_interval_days": 30,
"last_key_rotation_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Domain Types
### Key Get Response
- `class KeyGetResponse: …`
- `days_until_next_rotation: Optional[float]`
The number of days until the next key rotation.
- `key_rotation_interval_days: Optional[float]`
The number of days between key rotations.
- `last_key_rotation_at: Optional[datetime]`
The timestamp of the previous key rotation.
### Key Update Response
- `class KeyUpdateResponse: …`
- `days_until_next_rotation: Optional[float]`
The number of days until the next key rotation.
- `key_rotation_interval_days: Optional[float]`
The number of days between key rotations.
- `last_key_rotation_at: Optional[datetime]`
The timestamp of the previous key rotation.
### Key Rotate Response
- `class KeyRotateResponse: …`
- `days_until_next_rotation: Optional[float]`
The number of days until the next key rotation.
- `key_rotation_interval_days: Optional[float]`
The number of days between key rotations.
- `last_key_rotation_at: Optional[datetime]`
The timestamp of the previous key rotation.
# Logs
# Access Requests
## Get Access authentication logs
`zero_trust.access.logs.access_requests.list(AccessRequestListParams**kwargs) -> AccessRequestListResponse`
**get** `/accounts/{account_id}/access/logs/access_requests`
Gets a list of Access authentication audit logs for an account.
### Parameters
- `account_id: str`
Identifier.
- `allowed_op: Optional[Literal["eq", "neq"]]`
Operator for the `allowed` filter.
- `"eq"`
- `"neq"`
- `app_type_op: Optional[Literal["eq", "neq"]]`
Operator for the `app_type` filter.
- `"eq"`
- `"neq"`
- `app_uid_op: Optional[Literal["eq", "neq"]]`
Operator for the `app_uid` filter.
- `"eq"`
- `"neq"`
- `country_code_op: Optional[Literal["eq", "neq"]]`
Operator for the `country_code` filter.
- `"eq"`
- `"neq"`
- `direction: Optional[Literal["desc", "asc"]]`
The chronological sorting order for the logs.
- `"desc"`
- `"asc"`
- `email: Optional[str]`
Filter by user email. Defaults to substring matching. To force exact matching, set `email_exact=true`.
Example (default): `email=@example.com` returns all events with that domain.
Example (exact): `email=user@example.com&email_exact=true` returns only that user.
- `email_exact: Optional[bool]`
When true, `email` is matched exactly instead of substring matching.
- `email_op: Optional[Literal["eq", "neq"]]`
Operator for the `email` filter.
- `"eq"`
- `"neq"`
- `fields: Optional[str]`
Comma-separated list of fields to include in the response.
When omitted, all fields are returned.
- `idp_op: Optional[Literal["eq", "neq"]]`
Operator for the `idp` filter.
- `"eq"`
- `"neq"`
- `limit: Optional[int]`
The maximum number of log entries to retrieve.
- `non_identity_op: Optional[Literal["eq", "neq"]]`
Operator for the `non_identity` filter.
- `"eq"`
- `"neq"`
- `page: Optional[int]`
Page number of results.
- `per_page: Optional[int]`
Number of results per page.
- `rayid_op: Optional[Literal["eq", "neq"]]`
Operator for the `ray_id` filter.
- `"eq"`
- `"neq"`
- `since: Optional[Union[str, datetime]]`
The earliest event timestamp to query.
- `until: Optional[Union[str, datetime]]`
The latest event timestamp to query.
- `user_id: Optional[str]`
Filter by user UUID.
- `user_id_op: Optional[Literal["eq", "neq"]]`
Operator for the `user_id` filter.
- `"eq"`
- `"neq"`
### Returns
- `List[AccessRequest]`
- `action: Optional[str]`
The event that occurred, such as a login attempt.
- `allowed: Optional[bool]`
The result of the authentication event.
- `app_domain: Optional[str]`
The URL of the Access application.
- `app_uid: Optional[str]`
The unique identifier for the Access application.
- `connection: Optional[str]`
The IdP used to authenticate.
- `created_at: Optional[datetime]`
- `ip_address: Optional[str]`
The IP address of the authenticating user.
- `rayid: Optional[str]`
The unique identifier for the request to Cloudflare.
- `user_email: Optional[str]`
The email address of the authenticating user.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_email=os.environ.get("CLOUDFLARE_EMAIL"), # This is the default and can be omitted
api_key=os.environ.get("CLOUDFLARE_API_KEY"), # This is the default and can be omitted
)
access_requests = client.zero_trust.access.logs.access_requests.list(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(access_requests)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"action": "login",
"allowed": true,
"app_domain": "test.example.com/admin",
"app_uid": "df7e2w5f-02b7-4d9d-af26-8d1988fca630",
"connection": "saml",
"created_at": "2014-01-01T05:20:00.12345Z",
"ip_address": "198.41.129.166",
"ray_id": "187d944c61940c77",
"user_email": "user@example.com"
}
]
}
```
## Domain Types
### Access Request List Response
- `List[AccessRequest]`
- `action: Optional[str]`
The event that occurred, such as a login attempt.
- `allowed: Optional[bool]`
The result of the authentication event.
- `app_domain: Optional[str]`
The URL of the Access application.
- `app_uid: Optional[str]`
The unique identifier for the Access application.
- `connection: Optional[str]`
The IdP used to authenticate.
- `created_at: Optional[datetime]`
- `ip_address: Optional[str]`
The IP address of the authenticating user.
- `rayid: Optional[str]`
The unique identifier for the request to Cloudflare.
- `user_email: Optional[str]`
The email address of the authenticating user.
# SCIM
## Domain Types
### Access Request
- `class AccessRequest: …`
- `action: Optional[str]`
The event that occurred, such as a login attempt.
- `allowed: Optional[bool]`
The result of the authentication event.
- `app_domain: Optional[str]`
The URL of the Access application.
- `app_uid: Optional[str]`
The unique identifier for the Access application.
- `connection: Optional[str]`
The IdP used to authenticate.
- `created_at: Optional[datetime]`
- `ip_address: Optional[str]`
The IP address of the authenticating user.
- `rayid: Optional[str]`
The unique identifier for the request to Cloudflare.
- `user_email: Optional[str]`
The email address of the authenticating user.
# Updates
## List Access SCIM update logs
`zero_trust.access.logs.scim.updates.list(UpdateListParams**kwargs) -> SyncV4PagePaginationArray[UpdateListResponse]`
**get** `/accounts/{account_id}/access/logs/scim/updates`
Lists Access SCIM update logs that maintain a record of updates made to User and Group resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM).
### Parameters
- `account_id: str`
Identifier.
- `idp_id: SequenceNotStr[str]`
The unique Id of the IdP that has SCIM enabled.
- `cf_resource_id: Optional[str]`
The unique Cloudflare-generated Id of the SCIM resource.
- `direction: Optional[Literal["desc", "asc"]]`
The chronological order used to sort the logs.
- `"desc"`
- `"asc"`
- `idp_resource_id: Optional[str]`
The IdP-generated Id of the SCIM resource.
- `limit: Optional[int]`
The maximum number of update logs to retrieve.
- `page: Optional[int]`
Page number of results.
- `per_page: Optional[int]`
Number of results per page.
- `request_method: Optional[List[Literal["DELETE", "PATCH", "POST", "PUT"]]]`
The request method of the SCIM request.
- `"DELETE"`
- `"PATCH"`
- `"POST"`
- `"PUT"`
- `resource_group_name: Optional[str]`
The display name of the SCIM Group resource.
- `resource_type: Optional[List[Literal["USER", "GROUP"]]]`
The resource type of the SCIM request.
- `"USER"`
- `"GROUP"`
- `resource_user_email: Optional[str]`
The email address of the SCIM User resource.
- `since: Optional[Union[str, datetime]]`
the timestamp of the earliest update log.
- `status: Optional[List[Literal["FAILURE", "SUCCESS"]]]`
The status of the SCIM request.
- `"FAILURE"`
- `"SUCCESS"`
- `until: Optional[Union[str, datetime]]`
the timestamp of the most-recent update log.
### Returns
- `class UpdateListResponse: …`
- `cf_resource_id: Optional[str]`
The unique Cloudflare-generated Id of the SCIM resource.
- `error_description: Optional[str]`
The error message which is generated when the status of the SCIM request is 'FAILURE'.
- `idp_id: Optional[str]`
The unique Id of the IdP that has SCIM enabled.
- `idp_resource_id: Optional[str]`
The IdP-generated Id of the SCIM resource.
- `logged_at: Optional[datetime]`
- `request_body: Optional[str]`
The JSON-encoded string body of the SCIM request.
- `request_method: Optional[str]`
The request method of the SCIM request.
- `resource_group_name: Optional[str]`
The display name of the SCIM Group resource if it exists.
- `resource_type: Optional[str]`
The resource type of the SCIM request.
- `resource_user_email: Optional[str]`
The email address of the SCIM User resource if it exists.
- `status: Optional[str]`
The status of the SCIM request.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_email=os.environ.get("CLOUDFLARE_EMAIL"), # This is the default and can be omitted
api_key=os.environ.get("CLOUDFLARE_API_KEY"), # This is the default and can be omitted
)
page = client.zero_trust.access.logs.scim.updates.list(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
idp_id=["df7e2w5f-02b7-4d9d-af26-8d1988fca630", "0194ae2c-efcf-7cfb-8884-055f1a161fa5"],
)
page = page.result[0]
print(page.cf_resource_id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"cf_resource_id": "bd97ef8d-7986-43e3-9ee0-c25dda33e4b0",
"error_description": "Invalid JSON body",
"idp_id": "df7e2w5f-02b7-4d9d-af26-8d1988fca630",
"idp_resource_id": "all_employees",
"logged_at": "2014-01-01T05:20:00.12345Z",
"request_body": "{}}",
"request_method": "DELETE",
"resource_group_name": "ALL_EMPLOYEES",
"resource_type": "GROUP",
"resource_user_email": "john.smith@example.com",
"status": "FAILURE"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Domain Types
### Update List Response
- `class UpdateListResponse: …`
- `cf_resource_id: Optional[str]`
The unique Cloudflare-generated Id of the SCIM resource.
- `error_description: Optional[str]`
The error message which is generated when the status of the SCIM request is 'FAILURE'.
- `idp_id: Optional[str]`
The unique Id of the IdP that has SCIM enabled.
- `idp_resource_id: Optional[str]`
The IdP-generated Id of the SCIM resource.
- `logged_at: Optional[datetime]`
- `request_body: Optional[str]`
The JSON-encoded string body of the SCIM request.
- `request_method: Optional[str]`
The request method of the SCIM request.
- `resource_group_name: Optional[str]`
The display name of the SCIM Group resource if it exists.
- `resource_type: Optional[str]`
The resource type of the SCIM request.
- `resource_user_email: Optional[str]`
The email address of the SCIM User resource if it exists.
- `status: Optional[str]`
The status of the SCIM request.
# Users
## Get users
`zero_trust.access.users.list(UserListParams**kwargs) -> SyncV4PagePaginationArray[UserListResponse]`
**get** `/accounts/{account_id}/access/users`
Gets a list of users for an account.
### Parameters
- `account_id: str`
Identifier.
- `email: Optional[str]`
The email of the user.
- `name: Optional[str]`
The name of the user.
- `page: Optional[int]`
Page number of results.
- `per_page: Optional[int]`
Number of results per page.
- `search: Optional[str]`
Search for users by other listed query parameters.
### Returns
- `class UserListResponse: …`
- `id: Optional[str]`
UUID.
- `access_seat: Optional[bool]`
True if the user has authenticated with Cloudflare Access.
- `active_device_count: Optional[float]`
The number of active devices registered to the user.
- `created_at: Optional[datetime]`
- `email: Optional[str]`
The email of the user.
- `gateway_seat: Optional[bool]`
True if the user has logged into the WARP client.
- `last_successful_login: Optional[datetime]`
The time at which the user last successfully logged in.
- `name: Optional[str]`
The name of the user.
- `seat_uid: Optional[str]`
The unique API identifier for the Zero Trust seat.
- `uid: Optional[str]`
The unique API identifier for the user.
- `updated_at: Optional[datetime]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.users.list(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
page = page.result[0]
print(page.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"access_seat": false,
"active_device_count": 2,
"created_at": "2014-01-01T05:20:00.12345Z",
"email": "jdoe@example.com",
"gateway_seat": false,
"last_successful_login": "2020-07-01T05:20:00Z",
"name": "Jane Doe",
"seat_uid": "seat_uid",
"uid": "uid",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 100,
"total_count": 1,
"total_pages": 100
}
}
```
## Get a user
`zero_trust.access.users.get(struser_id, UserGetParams**kwargs) -> UserGetResponse`
**get** `/accounts/{account_id}/access/users/{user_id}`
Gets a specific user for an account.
### Parameters
- `account_id: str`
Identifier.
- `user_id: str`
UUID.
### Returns
- `class UserGetResponse: …`
- `id: Optional[str]`
UUID.
- `access_seat: Optional[bool]`
True if the user has authenticated with Cloudflare Access.
- `active_device_count: Optional[float]`
The number of active devices registered to the user.
- `created_at: Optional[datetime]`
- `email: Optional[str]`
The email of the user.
- `gateway_seat: Optional[bool]`
True if the user has logged into the WARP client.
- `last_successful_login: Optional[datetime]`
The time at which the user last successfully logged in.
- `name: Optional[str]`
The name of the user.
- `seat_uid: Optional[str]`
The unique API identifier for the Zero Trust seat.
- `uid: Optional[str]`
The unique API identifier for the user.
- `updated_at: Optional[datetime]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
user = client.zero_trust.access.users.get(
user_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(user.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"access_seat": false,
"active_device_count": 2,
"created_at": "2014-01-01T05:20:00.12345Z",
"email": "jdoe@example.com",
"gateway_seat": false,
"last_successful_login": "2020-07-01T05:20:00Z",
"name": "Jane Doe",
"seat_uid": "seat_uid",
"uid": "uid",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create a user
`zero_trust.access.users.create(UserCreateParams**kwargs) -> UserCreateResponse`
**post** `/accounts/{account_id}/access/users`
Creates a new user.
### Parameters
- `account_id: str`
Identifier.
- `email: str`
The email of the user.
- `name: Optional[str]`
The name of the user.
### Returns
- `class UserCreateResponse: …`
- `id: Optional[str]`
UUID.
- `access_seat: Optional[bool]`
True if the user has authenticated with Cloudflare Access.
- `active_device_count: Optional[float]`
The number of active devices registered to the user.
- `created_at: Optional[datetime]`
- `email: Optional[str]`
The email of the user.
- `gateway_seat: Optional[bool]`
True if the user has logged into the WARP client.
- `last_successful_login: Optional[datetime]`
The time at which the user last successfully logged in.
- `name: Optional[str]`
The name of the user.
- `seat_uid: Optional[str]`
The unique API identifier for the Zero Trust seat.
- `uid: Optional[str]`
The unique API identifier for the user.
- `updated_at: Optional[datetime]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
user = client.zero_trust.access.users.create(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
email="jdoe@example.com",
)
print(user.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"access_seat": false,
"active_device_count": 2,
"created_at": "2014-01-01T05:20:00.12345Z",
"email": "jdoe@example.com",
"gateway_seat": false,
"last_successful_login": "2020-07-01T05:20:00Z",
"name": "Jane Doe",
"seat_uid": "seat_uid",
"uid": "uid",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update a user
`zero_trust.access.users.update(struser_id, UserUpdateParams**kwargs) -> UserUpdateResponse`
**put** `/accounts/{account_id}/access/users/{user_id}`
Updates a specific user's name for an account. Requires the user's current email as confirmation (email cannot be changed).
### Parameters
- `account_id: str`
Identifier.
- `user_id: str`
UUID.
- `email: str`
The email of the user.
- `name: str`
The name of the user.
### Returns
- `class UserUpdateResponse: …`
- `id: Optional[str]`
UUID.
- `access_seat: Optional[bool]`
True if the user has authenticated with Cloudflare Access.
- `active_device_count: Optional[float]`
The number of active devices registered to the user.
- `created_at: Optional[datetime]`
- `email: Optional[str]`
The email of the user.
- `gateway_seat: Optional[bool]`
True if the user has logged into the WARP client.
- `last_successful_login: Optional[datetime]`
The time at which the user last successfully logged in.
- `name: Optional[str]`
The name of the user.
- `seat_uid: Optional[str]`
The unique API identifier for the Zero Trust seat.
- `uid: Optional[str]`
The unique API identifier for the user.
- `updated_at: Optional[datetime]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
user = client.zero_trust.access.users.update(
user_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
email="jdoe@example.com",
name="Jane Doe",
)
print(user.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"access_seat": false,
"active_device_count": 2,
"created_at": "2014-01-01T05:20:00.12345Z",
"email": "jdoe@example.com",
"gateway_seat": false,
"last_successful_login": "2020-07-01T05:20:00Z",
"name": "Jane Doe",
"seat_uid": "seat_uid",
"uid": "uid",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete a user
`zero_trust.access.users.delete(struser_id, UserDeleteParams**kwargs) -> object`
**delete** `/accounts/{account_id}/access/users/{user_id}`
Deletes a specific user for an account. This will also revoke any active seats and tokens for the user.
### Parameters
- `account_id: str`
Identifier.
- `user_id: str`
UUID.
### Returns
- `object`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
user = client.zero_trust.access.users.delete(
user_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(user)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {}
}
```
## Domain Types
### Access User
- `class AccessUser: …`
- `id: Optional[str]`
The unique Cloudflare-generated Id of the SCIM resource.
- `active: Optional[bool]`
Determines the status of the SCIM User resource.
- `display_name: Optional[str]`
The name of the SCIM User resource.
- `emails: Optional[List[Email]]`
- `primary: Optional[bool]`
Indicates if the email address is the primary email belonging to the SCIM User resource.
- `type: Optional[str]`
Indicates the type of the email address.
- `value: Optional[str]`
The email address of the SCIM User resource.
- `external_id: Optional[str]`
The IdP-generated Id of the SCIM resource.
- `meta: Optional[Meta]`
The metadata of the SCIM resource.
- `created: Optional[datetime]`
The timestamp of when the SCIM resource was created.
- `last_modified: Optional[datetime]`
The timestamp of when the SCIM resource was last modified.
- `schemas: Optional[List[str]]`
The list of URIs which indicate the attributes contained within a SCIM resource.
### User List Response
- `class UserListResponse: …`
- `id: Optional[str]`
UUID.
- `access_seat: Optional[bool]`
True if the user has authenticated with Cloudflare Access.
- `active_device_count: Optional[float]`
The number of active devices registered to the user.
- `created_at: Optional[datetime]`
- `email: Optional[str]`
The email of the user.
- `gateway_seat: Optional[bool]`
True if the user has logged into the WARP client.
- `last_successful_login: Optional[datetime]`
The time at which the user last successfully logged in.
- `name: Optional[str]`
The name of the user.
- `seat_uid: Optional[str]`
The unique API identifier for the Zero Trust seat.
- `uid: Optional[str]`
The unique API identifier for the user.
- `updated_at: Optional[datetime]`
### User Get Response
- `class UserGetResponse: …`
- `id: Optional[str]`
UUID.
- `access_seat: Optional[bool]`
True if the user has authenticated with Cloudflare Access.
- `active_device_count: Optional[float]`
The number of active devices registered to the user.
- `created_at: Optional[datetime]`
- `email: Optional[str]`
The email of the user.
- `gateway_seat: Optional[bool]`
True if the user has logged into the WARP client.
- `last_successful_login: Optional[datetime]`
The time at which the user last successfully logged in.
- `name: Optional[str]`
The name of the user.
- `seat_uid: Optional[str]`
The unique API identifier for the Zero Trust seat.
- `uid: Optional[str]`
The unique API identifier for the user.
- `updated_at: Optional[datetime]`
### User Create Response
- `class UserCreateResponse: …`
- `id: Optional[str]`
UUID.
- `access_seat: Optional[bool]`
True if the user has authenticated with Cloudflare Access.
- `active_device_count: Optional[float]`
The number of active devices registered to the user.
- `created_at: Optional[datetime]`
- `email: Optional[str]`
The email of the user.
- `gateway_seat: Optional[bool]`
True if the user has logged into the WARP client.
- `last_successful_login: Optional[datetime]`
The time at which the user last successfully logged in.
- `name: Optional[str]`
The name of the user.
- `seat_uid: Optional[str]`
The unique API identifier for the Zero Trust seat.
- `uid: Optional[str]`
The unique API identifier for the user.
- `updated_at: Optional[datetime]`
### User Update Response
- `class UserUpdateResponse: …`
- `id: Optional[str]`
UUID.
- `access_seat: Optional[bool]`
True if the user has authenticated with Cloudflare Access.
- `active_device_count: Optional[float]`
The number of active devices registered to the user.
- `created_at: Optional[datetime]`
- `email: Optional[str]`
The email of the user.
- `gateway_seat: Optional[bool]`
True if the user has logged into the WARP client.
- `last_successful_login: Optional[datetime]`
The time at which the user last successfully logged in.
- `name: Optional[str]`
The name of the user.
- `seat_uid: Optional[str]`
The unique API identifier for the Zero Trust seat.
- `uid: Optional[str]`
The unique API identifier for the user.
- `updated_at: Optional[datetime]`
# Active Sessions
## Get active sessions
`zero_trust.access.users.active_sessions.list(struser_id, ActiveSessionListParams**kwargs) -> SyncSinglePage[ActiveSessionListResponse]`
**get** `/accounts/{account_id}/access/users/{user_id}/active_sessions`
Get active sessions for a single user.
### Parameters
- `account_id: str`
Identifier.
- `user_id: str`
UUID.
### Returns
- `class ActiveSessionListResponse: …`
- `expiration: Optional[int]`
- `metadata: Optional[Metadata]`
- `apps: Optional[Dict[str, MetadataApps]]`
- `hostname: Optional[str]`
- `name: Optional[str]`
- `type: Optional[str]`
- `uid: Optional[str]`
- `expires: Optional[int]`
- `iat: Optional[int]`
- `nonce: Optional[str]`
- `ttl: Optional[int]`
- `name: Optional[str]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.users.active_sessions.list(
user_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
page = page.result[0]
print(page.expiration)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"expiration": 1694813506,
"metadata": {
"apps": {
"foo": {
"hostname": "test.example.com",
"name": "app name",
"type": "self_hosted",
"uid": "cc2a8145-0128-4429-87f3-872c4d380c4e"
}
},
"expires": 1694813506,
"iat": 1694791905,
"nonce": "X1aXj1lFVcqqyoXF",
"ttl": 21600
},
"name": "name"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get single active session
`zero_trust.access.users.active_sessions.get(strnonce, ActiveSessionGetParams**kwargs) -> ActiveSessionGetResponse`
**get** `/accounts/{account_id}/access/users/{user_id}/active_sessions/{nonce}`
Get an active session for a single user.
### Parameters
- `account_id: str`
Identifier.
- `user_id: str`
UUID.
- `nonce: str`
### Returns
- `class ActiveSessionGetResponse: …`
- `account_id: Optional[str]`
- `auth_status: Optional[str]`
- `common_name: Optional[str]`
- `device_id: Optional[str]`
- `device_sessions: Optional[Dict[str, DeviceSessions]]`
- `last_authenticated: Optional[float]`
- `device_posture: Optional[Dict[str, DevicePosture]]`
- `id: Optional[str]`
- `check: Optional[DevicePostureCheck]`
- `exists: Optional[bool]`
- `path: Optional[str]`
- `data: Optional[object]`
- `description: Optional[str]`
- `error: Optional[str]`
- `rule_name: Optional[str]`
- `success: Optional[bool]`
- `timestamp: Optional[str]`
- `type: Optional[str]`
- `email: Optional[str]`
- `geo: Optional[UserPolicyCheckGeo]`
- `country: Optional[str]`
- `iat: Optional[float]`
- `idp: Optional[IdP]`
- `id: Optional[str]`
- `type: Optional[str]`
- `ip: Optional[str]`
- `is_gateway: Optional[bool]`
- `is_warp: Optional[bool]`
- `is_active: Optional[bool]`
- `mtls_auth: Optional[MTLSAuth]`
- `auth_status: Optional[str]`
- `cert_issuer_dn: Optional[str]`
- `cert_issuer_ski: Optional[str]`
- `cert_presented: Optional[bool]`
- `cert_serial: Optional[str]`
- `service_token_id: Optional[str]`
- `service_token_status: Optional[bool]`
- `user_uuid: Optional[str]`
- `version: Optional[float]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
active_session = client.zero_trust.access.users.active_sessions.get(
nonce="X1aXj1lFVcqqyoXF",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
user_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
)
print(active_session.account_id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"account_id": "1234567890",
"auth_status": "NONE",
"common_name": "",
"device_id": "",
"device_sessions": {
"foo": {
"last_authenticated": 1638832687
}
},
"devicePosture": {
"foo": {
"id": "id",
"check": {
"exists": true,
"path": "path"
},
"data": {},
"description": "description",
"error": "error",
"rule_name": "rule_name",
"success": true,
"timestamp": "timestamp",
"type": "type"
}
},
"email": "test@cloudflare.com",
"geo": {
"country": "US"
},
"iat": 1694791905,
"idp": {
"id": "id",
"type": "type"
},
"ip": "127.0.0.0",
"is_gateway": false,
"is_warp": false,
"isActive": true,
"mtls_auth": {
"auth_status": "auth_status",
"cert_issuer_dn": "cert_issuer_dn",
"cert_issuer_ski": "cert_issuer_ski",
"cert_presented": true,
"cert_serial": "cert_serial"
},
"service_token_id": "",
"service_token_status": false,
"user_uuid": "57cf8cf2-f55a-4588-9ac9-f5e41e9f09b4",
"version": 2
}
}
```
## Domain Types
### Active Session List Response
- `class ActiveSessionListResponse: …`
- `expiration: Optional[int]`
- `metadata: Optional[Metadata]`
- `apps: Optional[Dict[str, MetadataApps]]`
- `hostname: Optional[str]`
- `name: Optional[str]`
- `type: Optional[str]`
- `uid: Optional[str]`
- `expires: Optional[int]`
- `iat: Optional[int]`
- `nonce: Optional[str]`
- `ttl: Optional[int]`
- `name: Optional[str]`
### Active Session Get Response
- `class ActiveSessionGetResponse: …`
- `account_id: Optional[str]`
- `auth_status: Optional[str]`
- `common_name: Optional[str]`
- `device_id: Optional[str]`
- `device_sessions: Optional[Dict[str, DeviceSessions]]`
- `last_authenticated: Optional[float]`
- `device_posture: Optional[Dict[str, DevicePosture]]`
- `id: Optional[str]`
- `check: Optional[DevicePostureCheck]`
- `exists: Optional[bool]`
- `path: Optional[str]`
- `data: Optional[object]`
- `description: Optional[str]`
- `error: Optional[str]`
- `rule_name: Optional[str]`
- `success: Optional[bool]`
- `timestamp: Optional[str]`
- `type: Optional[str]`
- `email: Optional[str]`
- `geo: Optional[UserPolicyCheckGeo]`
- `country: Optional[str]`
- `iat: Optional[float]`
- `idp: Optional[IdP]`
- `id: Optional[str]`
- `type: Optional[str]`
- `ip: Optional[str]`
- `is_gateway: Optional[bool]`
- `is_warp: Optional[bool]`
- `is_active: Optional[bool]`
- `mtls_auth: Optional[MTLSAuth]`
- `auth_status: Optional[str]`
- `cert_issuer_dn: Optional[str]`
- `cert_issuer_ski: Optional[str]`
- `cert_presented: Optional[bool]`
- `cert_serial: Optional[str]`
- `service_token_id: Optional[str]`
- `service_token_status: Optional[bool]`
- `user_uuid: Optional[str]`
- `version: Optional[float]`
# Last Seen Identity
## Get last seen identity
`zero_trust.access.users.last_seen_identity.get(struser_id, LastSeenIdentityGetParams**kwargs) -> Identity`
**get** `/accounts/{account_id}/access/users/{user_id}/last_seen_identity`
Get last seen identity for a single user.
### Parameters
- `account_id: str`
Identifier.
- `user_id: str`
UUID.
### Returns
- `class Identity: …`
- `account_id: Optional[str]`
- `auth_status: Optional[str]`
- `common_name: Optional[str]`
- `device_id: Optional[str]`
- `device_sessions: Optional[Dict[str, DeviceSessions]]`
- `last_authenticated: Optional[float]`
- `device_posture: Optional[Dict[str, DevicePosture]]`
- `id: Optional[str]`
- `check: Optional[DevicePostureCheck]`
- `exists: Optional[bool]`
- `path: Optional[str]`
- `data: Optional[object]`
- `description: Optional[str]`
- `error: Optional[str]`
- `rule_name: Optional[str]`
- `success: Optional[bool]`
- `timestamp: Optional[str]`
- `type: Optional[str]`
- `email: Optional[str]`
- `geo: Optional[UserPolicyCheckGeo]`
- `country: Optional[str]`
- `iat: Optional[float]`
- `idp: Optional[IdP]`
- `id: Optional[str]`
- `type: Optional[str]`
- `ip: Optional[str]`
- `is_gateway: Optional[bool]`
- `is_warp: Optional[bool]`
- `mtls_auth: Optional[MTLSAuth]`
- `auth_status: Optional[str]`
- `cert_issuer_dn: Optional[str]`
- `cert_issuer_ski: Optional[str]`
- `cert_presented: Optional[bool]`
- `cert_serial: Optional[str]`
- `service_token_id: Optional[str]`
- `service_token_status: Optional[bool]`
- `user_uuid: Optional[str]`
- `version: Optional[float]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
identity = client.zero_trust.access.users.last_seen_identity.get(
user_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(identity.account_id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"account_id": "1234567890",
"auth_status": "NONE",
"common_name": "",
"device_id": "",
"device_sessions": {
"foo": {
"last_authenticated": 1638832687
}
},
"devicePosture": {
"foo": {
"id": "id",
"check": {
"exists": true,
"path": "path"
},
"data": {},
"description": "description",
"error": "error",
"rule_name": "rule_name",
"success": true,
"timestamp": "timestamp",
"type": "type"
}
},
"email": "test@cloudflare.com",
"geo": {
"country": "US"
},
"iat": 1694791905,
"idp": {
"id": "id",
"type": "type"
},
"ip": "127.0.0.0",
"is_gateway": false,
"is_warp": false,
"mtls_auth": {
"auth_status": "auth_status",
"cert_issuer_dn": "cert_issuer_dn",
"cert_issuer_ski": "cert_issuer_ski",
"cert_presented": true,
"cert_serial": "cert_serial"
},
"service_token_id": "",
"service_token_status": false,
"user_uuid": "57cf8cf2-f55a-4588-9ac9-f5e41e9f09b4",
"version": 2
}
}
```
## Domain Types
### Identity
- `class Identity: …`
- `account_id: Optional[str]`
- `auth_status: Optional[str]`
- `common_name: Optional[str]`
- `device_id: Optional[str]`
- `device_sessions: Optional[Dict[str, DeviceSessions]]`
- `last_authenticated: Optional[float]`
- `device_posture: Optional[Dict[str, DevicePosture]]`
- `id: Optional[str]`
- `check: Optional[DevicePostureCheck]`
- `exists: Optional[bool]`
- `path: Optional[str]`
- `data: Optional[object]`
- `description: Optional[str]`
- `error: Optional[str]`
- `rule_name: Optional[str]`
- `success: Optional[bool]`
- `timestamp: Optional[str]`
- `type: Optional[str]`
- `email: Optional[str]`
- `geo: Optional[UserPolicyCheckGeo]`
- `country: Optional[str]`
- `iat: Optional[float]`
- `idp: Optional[IdP]`
- `id: Optional[str]`
- `type: Optional[str]`
- `ip: Optional[str]`
- `is_gateway: Optional[bool]`
- `is_warp: Optional[bool]`
- `mtls_auth: Optional[MTLSAuth]`
- `auth_status: Optional[str]`
- `cert_issuer_dn: Optional[str]`
- `cert_issuer_ski: Optional[str]`
- `cert_presented: Optional[bool]`
- `cert_serial: Optional[str]`
- `service_token_id: Optional[str]`
- `service_token_status: Optional[bool]`
- `user_uuid: Optional[str]`
- `version: Optional[float]`
# Failed Logins
## Get failed logins
`zero_trust.access.users.failed_logins.list(struser_id, FailedLoginListParams**kwargs) -> SyncSinglePage[FailedLoginListResponse]`
**get** `/accounts/{account_id}/access/users/{user_id}/failed_logins`
Get all failed login attempts for a single user.
### Parameters
- `account_id: str`
Identifier.
- `user_id: str`
UUID.
### Returns
- `class FailedLoginListResponse: …`
- `expiration: Optional[int]`
- `metadata: Optional[object]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.users.failed_logins.list(
user_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
page = page.result[0]
print(page.expiration)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"expiration": 0,
"metadata": {
"app_name": "Test App",
"aud": "39691c1480a2352a18ece567debc2b32552686cbd38eec0887aa18d5d3f00c04",
"datetime": "2022-02-02T21:54:34.914Z",
"ray_id": "6d76a8a42ead4133",
"user_email": "test@cloudflare.com",
"user_uuid": "57171132-e453-4ee8-b2a5-8cbaad333207"
}
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Domain Types
### Failed Login List Response
- `class FailedLoginListResponse: …`
- `expiration: Optional[int]`
- `metadata: Optional[object]`
# Custom Pages
## List custom pages
`zero_trust.access.custom_pages.list(CustomPageListParams**kwargs) -> SyncV4PagePaginationArray[CustomPageWithoutHTML]`
**get** `/accounts/{account_id}/access/custom_pages`
List custom pages
### Parameters
- `account_id: str`
Identifier.
- `page: Optional[int]`
Page number of results.
- `per_page: Optional[int]`
Number of results per page.
### Returns
- `class CustomPageWithoutHTML: …`
- `name: str`
Custom page name.
- `type: Literal["identity_denied", "forbidden"]`
Custom page type.
- `"identity_denied"`
- `"forbidden"`
- `uid: Optional[str]`
UUID.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.custom_pages.list(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
page = page.result[0]
print(page.uid)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"name": "name",
"type": "identity_denied",
"app_count": 0,
"created_at": "2014-01-01T05:20:00.12345Z",
"uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get a custom page
`zero_trust.access.custom_pages.get(strcustom_page_id, CustomPageGetParams**kwargs) -> CustomPage`
**get** `/accounts/{account_id}/access/custom_pages/{custom_page_id}`
Fetches a custom page and also returns its HTML.
### Parameters
- `account_id: str`
Identifier.
- `custom_page_id: str`
UUID.
### Returns
- `class CustomPage: …`
- `custom_html: str`
Custom page HTML.
- `name: str`
Custom page name.
- `type: Literal["identity_denied", "forbidden"]`
Custom page type.
- `"identity_denied"`
- `"forbidden"`
- `uid: Optional[str]`
UUID.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
custom_page = client.zero_trust.access.custom_pages.get(
custom_page_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(custom_page.uid)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"custom_html": "Access Denied
",
"name": "name",
"type": "identity_denied",
"app_count": 0,
"created_at": "2014-01-01T05:20:00.12345Z",
"uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create a custom page
`zero_trust.access.custom_pages.create(CustomPageCreateParams**kwargs) -> CustomPageWithoutHTML`
**post** `/accounts/{account_id}/access/custom_pages`
Create a custom page
### Parameters
- `account_id: str`
Identifier.
- `custom_html: str`
Custom page HTML.
- `name: str`
Custom page name.
- `type: Literal["identity_denied", "forbidden"]`
Custom page type.
- `"identity_denied"`
- `"forbidden"`
### Returns
- `class CustomPageWithoutHTML: …`
- `name: str`
Custom page name.
- `type: Literal["identity_denied", "forbidden"]`
Custom page type.
- `"identity_denied"`
- `"forbidden"`
- `uid: Optional[str]`
UUID.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
custom_page_without_html = client.zero_trust.access.custom_pages.create(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
custom_html="Access Denied
",
name="name",
type="identity_denied",
)
print(custom_page_without_html.uid)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "name",
"type": "identity_denied",
"app_count": 0,
"created_at": "2014-01-01T05:20:00.12345Z",
"uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update a custom page
`zero_trust.access.custom_pages.update(strcustom_page_id, CustomPageUpdateParams**kwargs) -> CustomPageWithoutHTML`
**put** `/accounts/{account_id}/access/custom_pages/{custom_page_id}`
Update a custom page
### Parameters
- `account_id: str`
Identifier.
- `custom_page_id: str`
UUID.
- `custom_html: str`
Custom page HTML.
- `name: str`
Custom page name.
- `type: Literal["identity_denied", "forbidden"]`
Custom page type.
- `"identity_denied"`
- `"forbidden"`
### Returns
- `class CustomPageWithoutHTML: …`
- `name: str`
Custom page name.
- `type: Literal["identity_denied", "forbidden"]`
Custom page type.
- `"identity_denied"`
- `"forbidden"`
- `uid: Optional[str]`
UUID.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
custom_page_without_html = client.zero_trust.access.custom_pages.update(
custom_page_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
custom_html="Access Denied
",
name="name",
type="identity_denied",
)
print(custom_page_without_html.uid)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "name",
"type": "identity_denied",
"app_count": 0,
"created_at": "2014-01-01T05:20:00.12345Z",
"uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete a custom page
`zero_trust.access.custom_pages.delete(strcustom_page_id, CustomPageDeleteParams**kwargs) -> CustomPageDeleteResponse`
**delete** `/accounts/{account_id}/access/custom_pages/{custom_page_id}`
Delete a custom page
### Parameters
- `account_id: str`
Identifier.
- `custom_page_id: str`
UUID.
### Returns
- `class CustomPageDeleteResponse: …`
- `id: Optional[str]`
UUID.
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
custom_page = client.zero_trust.access.custom_pages.delete(
custom_page_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(custom_page.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Custom Page
- `class CustomPage: …`
- `custom_html: str`
Custom page HTML.
- `name: str`
Custom page name.
- `type: Literal["identity_denied", "forbidden"]`
Custom page type.
- `"identity_denied"`
- `"forbidden"`
- `uid: Optional[str]`
UUID.
### Custom Page Without HTML
- `class CustomPageWithoutHTML: …`
- `name: str`
Custom page name.
- `type: Literal["identity_denied", "forbidden"]`
Custom page type.
- `"identity_denied"`
- `"forbidden"`
- `uid: Optional[str]`
UUID.
### Custom Page Delete Response
- `class CustomPageDeleteResponse: …`
- `id: Optional[str]`
UUID.
# Tags
## List tags
`zero_trust.access.tags.list(TagListParams**kwargs) -> SyncV4PagePaginationArray[Tag]`
**get** `/accounts/{account_id}/access/tags`
List tags
### Parameters
- `account_id: str`
Identifier.
- `page: Optional[int]`
Page number of results.
- `per_page: Optional[int]`
Number of results per page.
### Returns
- `class Tag: …`
A tag
- `name: str`
The name of the tag
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.tags.list(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
page = page.result[0]
print(page.name)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"name": "engineers",
"app_count": 1,
"created_at": "2014-01-01T05:20:00.12345Z",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get a tag
`zero_trust.access.tags.get(strtag_name, TagGetParams**kwargs) -> Tag`
**get** `/accounts/{account_id}/access/tags/{tag_name}`
Get a tag
### Parameters
- `account_id: str`
Identifier.
- `tag_name: str`
The name of the tag
### Returns
- `class Tag: …`
A tag
- `name: str`
The name of the tag
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
tag = client.zero_trust.access.tags.get(
tag_name="engineers",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(tag.name)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "engineers",
"app_count": 1,
"created_at": "2014-01-01T05:20:00.12345Z",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create a tag
`zero_trust.access.tags.create(TagCreateParams**kwargs) -> Tag`
**post** `/accounts/{account_id}/access/tags`
Create a tag
### Parameters
- `account_id: str`
Identifier.
- `name: Optional[str]`
The name of the tag
### Returns
- `class Tag: …`
A tag
- `name: str`
The name of the tag
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
tag = client.zero_trust.access.tags.create(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(tag.name)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "engineers",
"app_count": 1,
"created_at": "2014-01-01T05:20:00.12345Z",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update a tag
`zero_trust.access.tags.update(strtag_name, TagUpdateParams**kwargs) -> Tag`
**put** `/accounts/{account_id}/access/tags/{tag_name}`
Update a tag
### Parameters
- `account_id: str`
Identifier.
- `tag_name: str`
The name of the tag
- `name: str`
The name of the tag
### Returns
- `class Tag: …`
A tag
- `name: str`
The name of the tag
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
tag = client.zero_trust.access.tags.update(
tag_name="engineers",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
name="engineers",
)
print(tag.name)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "engineers",
"app_count": 1,
"created_at": "2014-01-01T05:20:00.12345Z",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete a tag
`zero_trust.access.tags.delete(strtag_name, TagDeleteParams**kwargs) -> TagDeleteResponse`
**delete** `/accounts/{account_id}/access/tags/{tag_name}`
Delete a tag
### Parameters
- `account_id: str`
Identifier.
- `tag_name: str`
The name of the tag
### Returns
- `class TagDeleteResponse: …`
- `name: Optional[str]`
The name of the tag
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
tag = client.zero_trust.access.tags.delete(
tag_name="engineers",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(tag.name)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "engineers"
}
}
```
## Domain Types
### Tag
- `class Tag: …`
A tag
- `name: str`
The name of the tag
### Tag Delete Response
- `class TagDeleteResponse: …`
- `name: Optional[str]`
The name of the tag
# Policies
## List Access reusable policies
`zero_trust.access.policies.list(PolicyListParams**kwargs) -> SyncV4PagePaginationArray[PolicyListResponse]`
**get** `/accounts/{account_id}/access/policies`
Lists Access reusable policies.
### Parameters
- `account_id: str`
Identifier.
- `page: Optional[int]`
Page number of results.
- `per_page: Optional[int]`
Number of results per page.
### Returns
- `class PolicyListResponse: …`
- `id: Optional[str]`
The UUID of the policy
- `app_count: Optional[int]`
Number of access applications currently using this policy.
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `reusable: Optional[Literal[true]]`
- `true`
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
page = client.zero_trust.access.policies.list(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
page = page.result[0]
print(page.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"app_count": 2,
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"reusable": true,
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get an Access reusable policy
`zero_trust.access.policies.get(strpolicy_id, PolicyGetParams**kwargs) -> PolicyGetResponse`
**get** `/accounts/{account_id}/access/policies/{policy_id}`
Fetches a single Access reusable policy.
### Parameters
- `account_id: str`
Identifier.
- `policy_id: str`
The UUID of the policy
### Returns
- `class PolicyGetResponse: …`
- `id: Optional[str]`
The UUID of the policy
- `app_count: Optional[int]`
Number of access applications currently using this policy.
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `reusable: Optional[Literal[true]]`
- `true`
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
policy = client.zero_trust.access.policies.get(
policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(policy.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"app_count": 2,
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"reusable": true,
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create an Access reusable policy
`zero_trust.access.policies.create(PolicyCreateParams**kwargs) -> PolicyCreateResponse`
**post** `/accounts/{account_id}/access/policies`
Creates a new Access reusable policy.
### Parameters
- `account_id: str`
Identifier.
- `decision: Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `include: Iterable[AccessRuleParam]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `name: str`
The name of the Access policy.
- `approval_groups: Optional[Iterable[ApprovalGroupParam]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `exclude: Optional[Iterable[AccessRuleParam]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[Iterable[AccessRuleParam]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
### Returns
- `class PolicyCreateResponse: …`
- `id: Optional[str]`
The UUID of the policy
- `app_count: Optional[int]`
Number of access applications currently using this policy.
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `reusable: Optional[Literal[true]]`
- `true`
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
policy = client.zero_trust.access.policies.create(
account_id="023e105f4ecef8ad9ca31a8372d0c353",
decision="allow",
include=[{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}],
name="Allow devs",
)
print(policy.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"app_count": 2,
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"reusable": true,
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update an Access reusable policy
`zero_trust.access.policies.update(strpolicy_id, PolicyUpdateParams**kwargs) -> PolicyUpdateResponse`
**put** `/accounts/{account_id}/access/policies/{policy_id}`
Updates a Access reusable policy.
### Parameters
- `account_id: str`
Identifier.
- `policy_id: str`
The UUID of the policy
- `decision: Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `include: Iterable[AccessRuleParam]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `name: str`
The name of the Access policy.
- `approval_groups: Optional[Iterable[ApprovalGroupParam]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `exclude: Optional[Iterable[AccessRuleParam]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[Iterable[AccessRuleParam]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
### Returns
- `class PolicyUpdateResponse: …`
- `id: Optional[str]`
The UUID of the policy
- `app_count: Optional[int]`
Number of access applications currently using this policy.
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `reusable: Optional[Literal[true]]`
- `true`
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
policy = client.zero_trust.access.policies.update(
policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
decision="allow",
include=[{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}],
name="Allow devs",
)
print(policy.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"app_count": 2,
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"reusable": true,
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete an Access reusable policy
`zero_trust.access.policies.delete(strpolicy_id, PolicyDeleteParams**kwargs) -> PolicyDeleteResponse`
**delete** `/accounts/{account_id}/access/policies/{policy_id}`
Deletes an Access reusable policy.
### Parameters
- `account_id: str`
Identifier.
- `policy_id: str`
The UUID of the policy
### Returns
- `class PolicyDeleteResponse: …`
- `id: Optional[str]`
The UUID of the policy
### Example
```python
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
policy = client.zero_trust.access.policies.delete(
policy_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
account_id="023e105f4ecef8ad9ca31a8372d0c353",
)
print(policy.id)
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Approval Group
- `class ApprovalGroup: …`
A group of email addresses that can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
### Policy
- `class Policy: …`
- `id: Optional[str]`
UUID.
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[object]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `created_at: Optional[datetime]`
- `decision: Optional[Literal["allow", "deny", "non_identity", "bypass"]]`
The action Access will take if a user matches this policy.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy.
- `name: Optional[str]`
The name of the Access policy.
- `precedence: Optional[int]`
The order of execution for this policy. Must be unique for each policy.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `updated_at: Optional[datetime]`
### Policy List Response
- `class PolicyListResponse: …`
- `id: Optional[str]`
The UUID of the policy
- `app_count: Optional[int]`
Number of access applications currently using this policy.
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `reusable: Optional[Literal[true]]`
- `true`
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Policy Get Response
- `class PolicyGetResponse: …`
- `id: Optional[str]`
The UUID of the policy
- `app_count: Optional[int]`
Number of access applications currently using this policy.
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `reusable: Optional[Literal[true]]`
- `true`
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Policy Create Response
- `class PolicyCreateResponse: …`
- `id: Optional[str]`
The UUID of the policy
- `app_count: Optional[int]`
Number of access applications currently using this policy.
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `reusable: Optional[Literal[true]]`
- `true`
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Policy Update Response
- `class PolicyUpdateResponse: …`
- `id: Optional[str]`
The UUID of the policy
- `app_count: Optional[int]`
Number of access applications currently using this policy.
- `approval_groups: Optional[List[ApprovalGroup]]`
Administrators who can approve a temporary authentication request.
- `approvals_needed: float`
The number of approvals needed to obtain access.
- `email_addresses: Optional[List[str]]`
A list of emails that can approve the access request.
- `email_list_uuid: Optional[str]`
The UUID of an re-usable email list.
- `approval_required: Optional[bool]`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: Optional[ConnectionRules]`
The rules that define how users may connect to targets secured by your application.
- `rdp: Optional[ConnectionRulesRDP]`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: Optional[datetime]`
- `decision: Optional[Decision]`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: Optional[List[AccessRule]]`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `class GroupRule: …`
Matches an Access group.
- `group: Group`
- `id: str`
The ID of a previously created Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `any_valid_service_token: AnyValidServiceToken`
An empty object which matches on all service tokens.
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: AccessAuthContextRuleAuthContext`
- `id: str`
The ID of an Authentication context.
- `ac_id: str`
The ACID of an Authentication context.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `auth_method: AuthMethod`
- `auth_method: str`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `azure_ad: AzureAD`
- `id: str`
The ID of an Azure group.
- `identity_provider_id: str`
The ID of your Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `certificate: Certificate`
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `common_name: AccessCommonNameRuleCommonName`
- `common_name: str`
The common name to match.
- `class CountryRule: …`
Matches a specific country
- `geo: Geo`
- `country_code: str`
The country code that should be matched.
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `device_posture: DevicePosture`
- `integration_uid: str`
The ID of a device posture integration.
- `class DomainRule: …`
Match an entire email domain.
- `email_domain: EmailDomain`
- `domain: str`
The email domain to match.
- `class EmailListRule: …`
Matches an email address from a list.
- `email_list: EmailList`
- `id: str`
The ID of a previously created email list.
- `class EmailRule: …`
Matches a specific email.
- `email: Email`
- `email: str`
The email of the user.
- `class EveryoneRule: …`
Matches everyone.
- `everyone: Everyone`
An empty object which matches on all users.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: ExternalEvaluation`
- `evaluate_url: str`
The API endpoint containing your business logic.
- `keys_url: str`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `github_organization: GitHubOrganization`
- `identity_provider_id: str`
The ID of your Github identity provider.
- `name: str`
The name of the organization.
- `team: Optional[str]`
The name of the team
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: GSuite`
- `email: str`
The email of the Google Workspace group.
- `identity_provider_id: str`
The ID of your Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `login_method: AccessLoginMethodRuleLoginMethod`
- `id: str`
The ID of an identity provider.
- `class IPListRule: …`
Matches an IP address from a list.
- `ip_list: IPList`
- `id: str`
The ID of a previously created IP list.
- `class IPRule: …`
Matches an IP address block.
- `ip: IP`
- `ip: str`
An IPv4 or IPv6 CIDR block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: Okta`
- `identity_provider_id: str`
The ID of your Okta identity provider.
- `name: str`
The name of the Okta group.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: SAML`
- `attribute_name: str`
The name of the SAML attribute.
- `attribute_value: str`
The SAML attribute value to look for.
- `identity_provider_id: str`
The ID of your SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: AccessOIDCClaimRuleOIDC`
- `claim_name: str`
The name of the OIDC claim.
- `claim_value: str`
The OIDC claim value to look for.
- `identity_provider_id: str`
The ID of your OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `service_token: ServiceToken`
- `token_id: str`
The ID of a Service Token.
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken`
- `app_uid: str`
The ID of an Access OIDC SaaS application
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `user_risk_score: AccessUserRiskScoreRuleUserRiskScore`
- `user_risk_score: List[Literal["low", "medium", "high", "unscored"]]`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: Optional[List[AccessRule]]`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `isolation_required: Optional[bool]`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: Optional[MfaConfig]`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: Optional[bool]`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: Optional[str]`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: Optional[str]`
The name of the Access policy.
- `purpose_justification_prompt: Optional[str]`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: Optional[bool]`
Require users to enter a justification when they log in to the application.
- `require: Optional[List[AccessRule]]`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `class GroupRule: …`
Matches an Access group.
- `class AnyValidServiceTokenRule: …`
Matches any valid Access Service Token
- `class AccessAuthContextRule: …`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `class AuthenticationMethodRule: …`
Enforce different MFA options
- `class AzureGroupRule: …`
Matches an Azure group.
Requires an Azure identity provider.
- `class CertificateRule: …`
Matches any valid client certificate.
- `class AccessCommonNameRule: …`
Matches a specific common name.
- `class CountryRule: …`
Matches a specific country
- `class AccessDevicePostureRule: …`
Enforces a device posture rule has run successfully
- `class DomainRule: …`
Match an entire email domain.
- `class EmailListRule: …`
Matches an email address from a list.
- `class EmailRule: …`
Matches a specific email.
- `class EveryoneRule: …`
Matches everyone.
- `class ExternalEvaluationRule: …`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `class GitHubOrganizationRule: …`
Matches a Github organization.
Requires a Github identity provider.
- `class GSuiteGroupRule: …`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `class AccessLoginMethodRule: …`
Matches a specific identity provider id.
- `class IPListRule: …`
Matches an IP address from a list.
- `class IPRule: …`
Matches an IP address block.
- `class OktaGroupRule: …`
Matches an Okta group.
Requires an Okta identity provider.
- `class SAMLGroupRule: …`
Matches a SAML group.
Requires a SAML identity provider.
- `class AccessOIDCClaimRule: …`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `class ServiceTokenRule: …`
Matches a specific Access Service Token
- `class AccessLinkedAppTokenRule: …`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `class AccessUserRiskScoreRule: …`
Matches a user's risk score.
- `reusable: Optional[Literal[true]]`
- `true`
- `session_duration: Optional[str]`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: Optional[datetime]`
### Policy Delete Response
- `class PolicyDeleteResponse: …`
- `id: Optional[str]`
The UUID of the policy