Skip to content
Cloudflare API
Start here
API Reference
Zero Trust
Access
Applications
Policies

Create an Access application policy

zero_trust.access.applications.policies.create(strapp_id, PolicyCreateParams**kwargs) -> PolicyCreateResponse
POST/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies

Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application’s ‘policies’ array.

Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Accepted Permissions (at least one required)
Access: Apps and Policies Write
ParametersExpand Collapse
app_id: str

UUID.

maxLength36
account_id: Optional[str]

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id: Optional[str]

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

approval_groups: Optional[Iterable[ApprovalGroupParam]]

Administrators who can approve a temporary authentication request.

approvals_needed: float

The number of approvals needed to obtain access.

minimum0
email_addresses: Optional[List[str]]

A list of emails that can approve the access request.

email_list_uuid: Optional[str]

The UUID of an re-usable email list.

approval_required: Optional[bool]

Requires the user to request access from an administrator at the start of each session.

connection_rules: Optional[ConnectionRules]

The rules that define how users may connect to targets secured by your application.

rdp: Optional[ConnectionRulesRDP]

The RDP-specific rules that define clipboard behavior for RDP connections.

allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]

Clipboard formats allowed when copying from local machine to remote RDP session.

allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]

Clipboard formats allowed when copying from remote RDP session to local machine.

isolation_required: Optional[bool]

Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.

mfa_config: Optional[MfaConfig]

Configures multi-factor authentication (MFA) settings.

allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]

Lists the MFA methods that users can authenticate with.

One of the following:
"totp"
"biometrics"
"security_key"
mfa_disabled: Optional[bool]

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

session_duration: Optional[str]

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

precedence: Optional[int]

The order of execution for this policy. Must be unique for each policy within an app.

purpose_justification_prompt: Optional[str]

A custom message that will appear on the purpose justification screen.

purpose_justification_required: Optional[bool]

Require users to enter a justification when they log in to the application.

session_duration: Optional[str]

The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

ReturnsExpand Collapse
class PolicyCreateResponse:
id: Optional[str]

The UUID of the policy

maxLength36
approval_groups: Optional[List[ApprovalGroup]]

Administrators who can approve a temporary authentication request.

approvals_needed: float

The number of approvals needed to obtain access.

minimum0
email_addresses: Optional[List[str]]

A list of emails that can approve the access request.

email_list_uuid: Optional[str]

The UUID of an re-usable email list.

approval_required: Optional[bool]

Requires the user to request access from an administrator at the start of each session.

connection_rules: Optional[ConnectionRules]

The rules that define how users may connect to targets secured by your application.

rdp: Optional[ConnectionRulesRDP]

The RDP-specific rules that define clipboard behavior for RDP connections.

allowed_clipboard_local_to_remote_formats: Optional[List[Literal["text"]]]

Clipboard formats allowed when copying from local machine to remote RDP session.

allowed_clipboard_remote_to_local_formats: Optional[List[Literal["text"]]]

Clipboard formats allowed when copying from remote RDP session to local machine.

created_at: Optional[datetime]
formatdate-time
decision: Optional[Decision]

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

One of the following:
"allow"
"deny"
"non_identity"
"bypass"
exclude: Optional[List[AccessRule]]

Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
include: Optional[List[AccessRule]]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
isolation_required: Optional[bool]

Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.

mfa_config: Optional[MfaConfig]

Configures multi-factor authentication (MFA) settings.

allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]

Lists the MFA methods that users can authenticate with.

One of the following:
"totp"
"biometrics"
"security_key"
mfa_disabled: Optional[bool]

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

session_duration: Optional[str]

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

name: Optional[str]

The name of the Access policy.

precedence: Optional[int]

The order of execution for this policy. Must be unique for each policy within an app.

purpose_justification_prompt: Optional[str]

A custom message that will appear on the purpose justification screen.

purpose_justification_required: Optional[bool]

Require users to enter a justification when they log in to the application.

require: Optional[List[AccessRule]]

Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

One of the following:
class GroupRule:

Matches an Access group.

group: Group
id: str

The ID of a previously created Access group.

class AnyValidServiceTokenRule:

Matches any valid Access Service Token

any_valid_service_token: AnyValidServiceToken

An empty object which matches on all service tokens.

class AccessAuthContextRule:

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: AccessAuthContextRuleAuthContext
id: str

The ID of an Authentication context.

ac_id: str

The ACID of an Authentication context.

identity_provider_id: str

The ID of your Azure identity provider.

class AuthenticationMethodRule:

Enforce different MFA options

auth_method: AuthMethod
auth_method: str

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

class AzureGroupRule:

Matches an Azure group. Requires an Azure identity provider.

azure_ad: AzureAD
id: str

The ID of an Azure group.

identity_provider_id: str

The ID of your Azure identity provider.

class CertificateRule:

Matches any valid client certificate.

certificate: Certificate
class AccessCommonNameRule:

Matches a specific common name.

common_name: AccessCommonNameRuleCommonName
common_name: str

The common name to match.

class CountryRule:

Matches a specific country

geo: Geo
country_code: str

The country code that should be matched.

class AccessDevicePostureRule:

Enforces a device posture rule has run successfully

device_posture: DevicePosture
integration_uid: str

The ID of a device posture integration.

class DomainRule:

Match an entire email domain.

email_domain: EmailDomain
domain: str

The email domain to match.

class EmailListRule:

Matches an email address from a list.

email_list: EmailList
id: str

The ID of a previously created email list.

class EmailRule:

Matches a specific email.

email: Email
email: str

The email of the user.

formatemail
class EveryoneRule:

Matches everyone.

everyone: Everyone

An empty object which matches on all users.

class ExternalEvaluationRule:

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: ExternalEvaluation
evaluate_url: str

The API endpoint containing your business logic.

keys_url: str

The API endpoint containing the key that Access uses to verify that the response came from your API.

class GitHubOrganizationRule:

Matches a Github organization. Requires a Github identity provider.

github_organization: GitHubOrganization
identity_provider_id: str

The ID of your Github identity provider.

name: str

The name of the organization.

team: Optional[str]

The name of the team

class GSuiteGroupRule:

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: GSuite
email: str

The email of the Google Workspace group.

identity_provider_id: str

The ID of your Google Workspace identity provider.

class AccessLoginMethodRule:

Matches a specific identity provider id.

login_method: AccessLoginMethodRuleLoginMethod
id: str

The ID of an identity provider.

class IPListRule:

Matches an IP address from a list.

ip_list: IPList
id: str

The ID of a previously created IP list.

class IPRule:

Matches an IP address block.

ip: IP
ip: str

An IPv4 or IPv6 CIDR block.

class OktaGroupRule:

Matches an Okta group. Requires an Okta identity provider.

okta: Okta
identity_provider_id: str

The ID of your Okta identity provider.

name: str

The name of the Okta group.

class SAMLGroupRule:

Matches a SAML group. Requires a SAML identity provider.

saml: SAML
attribute_name: str

The name of the SAML attribute.

attribute_value: str

The SAML attribute value to look for.

identity_provider_id: str

The ID of your SAML identity provider.

class AccessOIDCClaimRule:

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: AccessOIDCClaimRuleOIDC
claim_name: str

The name of the OIDC claim.

claim_value: str

The OIDC claim value to look for.

identity_provider_id: str

The ID of your OIDC identity provider.

class ServiceTokenRule:

Matches a specific Access Service Token

service_token: ServiceToken
token_id: str

The ID of a Service Token.

class AccessLinkedAppTokenRule:

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: AccessLinkedAppTokenRuleLinkedAppToken
app_uid: str

The ID of an Access OIDC SaaS application

class AccessUserRiskScoreRule:

Matches a user’s risk score.

user_risk_score: AccessUserRiskScoreRuleUserRiskScore
user_risk_score: List[Literal["low", "medium", "high", "unscored"]]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:
"low"
"medium"
"high"
"unscored"
session_duration: Optional[str]

The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

updated_at: Optional[datetime]
formatdate-time

Create an Access application policy

import os
from cloudflare import Cloudflare

client = Cloudflare(
    api_token=os.environ.get("CLOUDFLARE_API_TOKEN"),  # This is the default and can be omitted
)
policy = client.zero_trust.access.applications.policies.create(
    app_id="f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    account_id="account_id",
)
print(policy.id)
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "approval_groups": [
      {
        "approvals_needed": 1,
        "email_addresses": [
          "test1@cloudflare.com",
          "test2@cloudflare.com"
        ],
        "email_list_uuid": "email_list_uuid"
      },
      {
        "approvals_needed": 3,
        "email_addresses": [
          "test@cloudflare.com",
          "test2@cloudflare.com"
        ],
        "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
      }
    ],
    "approval_required": true,
    "connection_rules": {
      "rdp": {
        "allowed_clipboard_local_to_remote_formats": [
          "text"
        ],
        "allowed_clipboard_remote_to_local_formats": [
          "text"
        ]
      }
    },
    "created_at": "2014-01-01T05:20:00.12345Z",
    "decision": "allow",
    "exclude": [
      {
        "group": {
          "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
        }
      }
    ],
    "include": [
      {
        "group": {
          "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
        }
      }
    ],
    "isolation_required": false,
    "mfa_config": {
      "allowed_authenticators": [
        "totp",
        "biometrics",
        "security_key"
      ],
      "mfa_disabled": false,
      "session_duration": "24h"
    },
    "name": "Allow devs",
    "precedence": 0,
    "purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
    "purpose_justification_required": true,
    "require": [
      {
        "group": {
          "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
        }
      }
    ],
    "session_duration": "24h",
    "updated_at": "2014-01-01T05:20:00.12345Z"
  }
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "approval_groups": [
      {
        "approvals_needed": 1,
        "email_addresses": [
          "test1@cloudflare.com",
          "test2@cloudflare.com"
        ],
        "email_list_uuid": "email_list_uuid"
      },
      {
        "approvals_needed": 3,
        "email_addresses": [
          "test@cloudflare.com",
          "test2@cloudflare.com"
        ],
        "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
      }
    ],
    "approval_required": true,
    "connection_rules": {
      "rdp": {
        "allowed_clipboard_local_to_remote_formats": [
          "text"
        ],
        "allowed_clipboard_remote_to_local_formats": [
          "text"
        ]
      }
    },
    "created_at": "2014-01-01T05:20:00.12345Z",
    "decision": "allow",
    "exclude": [
      {
        "group": {
          "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
        }
      }
    ],
    "include": [
      {
        "group": {
          "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
        }
      }
    ],
    "isolation_required": false,
    "mfa_config": {
      "allowed_authenticators": [
        "totp",
        "biometrics",
        "security_key"
      ],
      "mfa_disabled": false,
      "session_duration": "24h"
    },
    "name": "Allow devs",
    "precedence": 0,
    "purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
    "purpose_justification_required": true,
    "require": [
      {
        "group": {
          "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
        }
      }
    ],
    "session_duration": "24h",
    "updated_at": "2014-01-01T05:20:00.12345Z"
  }
}