Add an Access application
Adds a new application to Access.
Security
API Token
The preferred authorization scheme for interacting with the Cloudflare API. Create a token.
Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYYAPI Email + API Key
The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.
X-Auth-Email: user@example.comThe previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.
X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194Accepted Permissions (at least one required)
Access: Apps and Policies WriteParametersExpand Collapse
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
class SelfHostedApplicationDestinationPublicDestination: …A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
class SelfHostedApplicationDestinationPrivateDestination: …
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: Optional[Literal["tcp", "udp"]]The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
class SelfHostedApplicationPolicyAccessAppPolicyLink: …A JSON that links a reusable policy to an application.
A JSON that links a reusable policy to an application.
class SelfHostedApplicationPolicyUnionMember2: …
Requires the user to request access from an administrator at the start of each session.
connection_rules: Optional[SelfHostedApplicationPolicyUnionMember2ConnectionRules]The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
rdp: Optional[SelfHostedApplicationPolicyUnionMember2ConnectionRulesRDP]The RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: Optional[SelfHostedApplicationPolicyUnionMember2MfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationHTTPBasic: …Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOAuthBearerToken: …Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOauth2: …Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Iterable[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]Multiple authentication schemes
Multiple authentication schemes
class SCIMConfigAuthenticationHTTPBasic: …Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOAuthBearerToken: …Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOauth2: …Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: Optional[Operations]Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: Optional[Literal["strict", "passthrough"]]The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
ReturnsExpand Collapse
class SelfHostedApplication: …
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
cors_headers: Optional[CORSHeaders]
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: Optional[List[SelfHostedApplicationDestination]]List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
class SelfHostedApplicationDestinationPublicDestination: …A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
class SelfHostedApplicationDestinationPrivateDestination: …
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: Optional[Literal["tcp", "udp"]]The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
mfa_config: Optional[SelfHostedApplicationMfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
oauth_configuration: Optional[SelfHostedApplicationOAuthConfiguration]Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: Optional[SelfHostedApplicationOAuthConfigurationDynamicClientRegistration]Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies: Optional[List[SelfHostedApplicationPolicy]]
Requires the user to request access from an administrator at the start of each session.
connection_rules: Optional[SelfHostedApplicationPolicyConnectionRules]The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
decision: Optional[Decision]The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: Optional[SelfHostedApplicationPolicyMfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: Optional[SelfHostedApplicationSCIMConfig]Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: Optional[SelfHostedApplicationSCIMConfigAuthentication]Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationHTTPBasic: …Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOAuthBearerToken: …Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOauth2: …Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
List[SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]Multiple authentication schemes
Multiple authentication schemes
class SCIMConfigAuthenticationHTTPBasic: …Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOAuthBearerToken: …Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOauth2: …Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
class SelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: Optional[Operations]Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: Optional[Literal["strict", "passthrough"]]The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
class SaaSApplication: …
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom pages that will be displayed when applicable for this application
policies: Optional[List[SaaSApplicationPolicy]]
Requires the user to request access from an administrator at the start of each session.
connection_rules: Optional[SaaSApplicationPolicyConnectionRules]The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
decision: Optional[Decision]The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: Optional[SaaSApplicationPolicyMfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
saas_app: Optional[SaaSApplicationSaaSApp]
class SAMLSaaSApp: …
auth_type: Optional[Literal["saml", "oidc"]]Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
custom_attributes: Optional[List[CustomAttribute]]
The URL that the user will be redirected to after a successful login for IDP initiated logins.
name_id_format: Optional[SaaSAppNameIDFormat]The format of the name identifier sent to the SaaS application.
The format of the name identifier sent to the SaaS application.
A JSONata expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
class OIDCSaaSApp: …
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
auth_type: Optional[Literal["saml", "oidc"]]Identifier of the authentication protocol used for the saas app. Required for OIDC.
Identifier of the authentication protocol used for the saas app. Required for OIDC.
custom_claims: Optional[List[CustomClaim]]
grant_types: Optional[List[Literal["authorization_code", "authorization_code_with_pkce", "refresh_tokens", 2 more]]]The OIDC flows supported by this application
The OIDC flows supported by this application
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
scim_config: Optional[SaaSApplicationSCIMConfig]Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: Optional[SaaSApplicationSCIMConfigAuthentication]Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationHTTPBasic: …Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOAuthBearerToken: …Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOauth2: …Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
List[SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]Multiple authentication schemes
Multiple authentication schemes
class SCIMConfigAuthenticationHTTPBasic: …Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOAuthBearerToken: …Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOauth2: …Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
class SaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: Optional[Operations]Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: Optional[Literal["strict", "passthrough"]]The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
class BrowserSSHApplication: …
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
cors_headers: Optional[CORSHeaders]
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: Optional[List[BrowserSSHApplicationDestination]]List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
class BrowserSSHApplicationDestinationPublicDestination: …A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
class BrowserSSHApplicationDestinationPrivateDestination: …
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: Optional[Literal["tcp", "udp"]]The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
mfa_config: Optional[BrowserSSHApplicationMfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
oauth_configuration: Optional[BrowserSSHApplicationOAuthConfiguration]Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: Optional[BrowserSSHApplicationOAuthConfigurationDynamicClientRegistration]Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies: Optional[List[BrowserSSHApplicationPolicy]]
Requires the user to request access from an administrator at the start of each session.
connection_rules: Optional[BrowserSSHApplicationPolicyConnectionRules]The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
decision: Optional[Decision]The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: Optional[BrowserSSHApplicationPolicyMfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: Optional[BrowserSSHApplicationSCIMConfig]Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: Optional[BrowserSSHApplicationSCIMConfigAuthentication]Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationHTTPBasic: …Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOAuthBearerToken: …Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOauth2: …Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
List[BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]Multiple authentication schemes
Multiple authentication schemes
class SCIMConfigAuthenticationHTTPBasic: …Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOAuthBearerToken: …Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOauth2: …Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
class BrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: Optional[Operations]Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: Optional[Literal["strict", "passthrough"]]The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
class BrowserVNCApplication: …
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
cors_headers: Optional[CORSHeaders]
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: Optional[List[BrowserVNCApplicationDestination]]List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
class BrowserVNCApplicationDestinationPublicDestination: …A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
class BrowserVNCApplicationDestinationPrivateDestination: …
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: Optional[Literal["tcp", "udp"]]The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
mfa_config: Optional[BrowserVNCApplicationMfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
oauth_configuration: Optional[BrowserVNCApplicationOAuthConfiguration]Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: Optional[BrowserVNCApplicationOAuthConfigurationDynamicClientRegistration]Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies: Optional[List[BrowserVNCApplicationPolicy]]
Requires the user to request access from an administrator at the start of each session.
connection_rules: Optional[BrowserVNCApplicationPolicyConnectionRules]The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
decision: Optional[Decision]The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: Optional[BrowserVNCApplicationPolicyMfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: Optional[BrowserVNCApplicationSCIMConfig]Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: Optional[BrowserVNCApplicationSCIMConfigAuthentication]Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationHTTPBasic: …Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOAuthBearerToken: …Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOauth2: …Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
List[BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]Multiple authentication schemes
Multiple authentication schemes
class SCIMConfigAuthenticationHTTPBasic: …Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOAuthBearerToken: …Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOauth2: …Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
class BrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: Optional[Operations]Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: Optional[Literal["strict", "passthrough"]]The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
class AppLauncherApplication: …
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
landing_page_design: Optional[AppLauncherApplicationLandingPageDesign]The design of the App Launcher landing page shown to users when they log in.
The design of the App Launcher landing page shown to users when they log in.
policies: Optional[List[AppLauncherApplicationPolicy]]
Requires the user to request access from an administrator at the start of each session.
connection_rules: Optional[AppLauncherApplicationPolicyConnectionRules]The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
decision: Optional[Decision]The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: Optional[AppLauncherApplicationPolicyMfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
class DeviceEnrollmentPermissionsApplication: …
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
policies: Optional[List[DeviceEnrollmentPermissionsApplicationPolicy]]
Requires the user to request access from an administrator at the start of each session.
connection_rules: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRules]The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
rdp: Optional[DeviceEnrollmentPermissionsApplicationPolicyConnectionRulesRDP]The RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
decision: Optional[Decision]The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: Optional[DeviceEnrollmentPermissionsApplicationPolicyMfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
class BrowserIsolationPermissionsApplication: …
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
policies: Optional[List[BrowserIsolationPermissionsApplicationPolicy]]
Requires the user to request access from an administrator at the start of each session.
connection_rules: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRules]The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
rdp: Optional[BrowserIsolationPermissionsApplicationPolicyConnectionRulesRDP]The RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
decision: Optional[Decision]The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: Optional[BrowserIsolationPermissionsApplicationPolicyMfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
class GatewayIdentityProxyEndpointApplication: …
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
policies: Optional[List[GatewayIdentityProxyEndpointApplicationPolicy]]
Requires the user to request access from an administrator at the start of each session.
connection_rules: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRules]The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
rdp: Optional[GatewayIdentityProxyEndpointApplicationPolicyConnectionRulesRDP]The RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
decision: Optional[Decision]The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: Optional[GatewayIdentityProxyEndpointApplicationPolicyMfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
class BookmarkApplication: …
policies: Optional[List[BookmarkApplicationPolicy]]
Requires the user to request access from an administrator at the start of each session.
connection_rules: Optional[BookmarkApplicationPolicyConnectionRules]The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
decision: Optional[Decision]The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: Optional[BookmarkApplicationPolicyMfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
class InfrastructureApplication: …
target_criteria: List[InfrastructureApplicationTargetCriterion]
policies: Optional[List[InfrastructureApplicationPolicy]]
connection_rules: Optional[InfrastructureApplicationPolicyConnectionRules]The rules that define how users may connect to the targets secured by your application.
The rules that define how users may connect to the targets secured by your application.
decision: Optional[Decision]The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
class BrowserRDPApplication: …
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
target_criteria: List[BrowserRDPApplicationTargetCriterion]
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
cors_headers: Optional[CORSHeaders]
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: Optional[List[BrowserRDPApplicationDestination]]List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
class BrowserRDPApplicationDestinationPublicDestination: …A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
class BrowserRDPApplicationDestinationPrivateDestination: …
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: Optional[Literal["tcp", "udp"]]The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
mfa_config: Optional[BrowserRDPApplicationMfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
oauth_configuration: Optional[BrowserRDPApplicationOAuthConfiguration]Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: Optional[BrowserRDPApplicationOAuthConfigurationDynamicClientRegistration]Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies: Optional[List[BrowserRDPApplicationPolicy]]
Requires the user to request access from an administrator at the start of each session.
connection_rules: Optional[BrowserRDPApplicationPolicyConnectionRules]The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
decision: Optional[Decision]The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: Optional[BrowserRDPApplicationPolicyMfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: Optional[BrowserRDPApplicationSCIMConfig]Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: Optional[BrowserRDPApplicationSCIMConfigAuthentication]Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationHTTPBasic: …Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOAuthBearerToken: …Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOauth2: …Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
List[BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]Multiple authentication schemes
Multiple authentication schemes
class SCIMConfigAuthenticationHTTPBasic: …Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOAuthBearerToken: …Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOauth2: …Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
class BrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: Optional[Operations]Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: Optional[Literal["strict", "passthrough"]]The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
class McpServerApplication: …
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: Optional[List[McpServerApplicationDestination]]List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
class McpServerApplicationDestinationPublicDestination: …A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
class McpServerApplicationDestinationPrivateDestination: …
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: Optional[Literal["tcp", "udp"]]The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
oauth_configuration: Optional[McpServerApplicationOAuthConfiguration]Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: Optional[McpServerApplicationOAuthConfigurationDynamicClientRegistration]Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
policies: Optional[List[McpServerApplicationPolicy]]
Requires the user to request access from an administrator at the start of each session.
connection_rules: Optional[McpServerApplicationPolicyConnectionRules]The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
decision: Optional[Decision]The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: Optional[McpServerApplicationPolicyMfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: Optional[McpServerApplicationSCIMConfig]Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: Optional[McpServerApplicationSCIMConfigAuthentication]Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationHTTPBasic: …Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOAuthBearerToken: …Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOauth2: …Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
List[McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]Multiple authentication schemes
Multiple authentication schemes
class SCIMConfigAuthenticationHTTPBasic: …Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOAuthBearerToken: …Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOauth2: …Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
class McpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: Optional[Operations]Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: Optional[Literal["strict", "passthrough"]]The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
class McpServerPortalApplication: …
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: Optional[List[McpServerPortalApplicationDestination]]List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
class McpServerPortalApplicationDestinationPublicDestination: …A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
class McpServerPortalApplicationDestinationPrivateDestination: …
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: Optional[Literal["tcp", "udp"]]The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
oauth_configuration: Optional[McpServerPortalApplicationOAuthConfiguration]Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: Optional[McpServerPortalApplicationOAuthConfigurationDynamicClientRegistration]Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
policies: Optional[List[McpServerPortalApplicationPolicy]]
Requires the user to request access from an administrator at the start of each session.
connection_rules: Optional[McpServerPortalApplicationPolicyConnectionRules]The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
decision: Optional[Decision]The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: Optional[McpServerPortalApplicationPolicyMfaConfig]Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
class AccessAuthContextRule: …Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
class AuthenticationMethodRule: …Enforce different MFA options
Enforce different MFA options
auth_method: AuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
class ExternalEvaluationRule: …Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
class GSuiteGroupRule: …Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
class AccessLinkedAppTokenRule: …Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: Optional[McpServerPortalApplicationSCIMConfig]Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: Optional[McpServerPortalApplicationSCIMConfigAuthentication]Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationHTTPBasic: …Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOAuthBearerToken: …Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOauth2: …Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
List[McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication]Multiple authentication schemes
Multiple authentication schemes
class SCIMConfigAuthenticationHTTPBasic: …Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOAuthBearerToken: …Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
class SCIMConfigAuthenticationOauth2: …Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
class McpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken: …Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: Optional[Operations]Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: Optional[Literal["strict", "passthrough"]]The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
Add an Access application
import os
from cloudflare import Cloudflare
client = Cloudflare(
api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted
)
application = client.zero_trust.access.applications.create(
domain="test.example.com/admin",
type="self_hosted",
account_id="account_id",
)
print(application){
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}Returns Examples
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}