Skip to content
Cloudflare API
Start here
API Reference
Zero Trust

Devices

List devices (deprecated)
Deprecated
zero_trust.devices.list(DeviceListParams**kwargs) -> SyncSinglePage[Device]
GET/accounts/{account_id}/devices
Get device (deprecated)
Deprecated
zero_trust.devices.get(strdevice_id, DeviceGetParams**kwargs) -> DeviceGetResponse
GET/accounts/{account_id}/devices/{device_id}
ModelsExpand Collapse
class Device:
id: Optional[str]

Registration ID. Equal to Device ID except for accounts which enabled multi-user mode.

maxLength36
created: Optional[datetime]

When the device was created.

formatdate-time
deleted: Optional[bool]

True if the device was deleted.

device_type: Optional[Literal["windows", "mac", "linux", 3 more]]
One of the following:
"windows"
"mac"
"linux"
"android"
"ios"
"chromeos"
ip: Optional[str]

IPv4 or IPv6 address.

key: Optional[str]

The device’s public key.

last_seen: Optional[datetime]

When the device last connected to Cloudflare services.

formatdate-time
mac_address: Optional[str]

The device mac address.

manufacturer: Optional[str]

The device manufacturer name.

model: Optional[str]

The device model name.

name: Optional[str]

The device name.

os_distro_name: Optional[str]

The Linux distro name.

os_distro_revision: Optional[str]

The Linux distro revision.

os_version: Optional[str]

The operating system version.

os_version_extra: Optional[str]

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

revoked_at: Optional[datetime]

When the device was revoked.

formatdate-time
serial_number: Optional[str]

The device serial number.

updated: Optional[datetime]

When the device was updated.

formatdate-time
user: Optional[User]
id: Optional[str]

UUID.

maxLength36
email: Optional[str]

The contact email address of the user.

maxLength90
name: Optional[str]

The enrolled device user’s name.

version: Optional[str]

The WARP client version.

class DeviceGetResponse:
id: Optional[str]

Registration ID. Equal to Device ID except for accounts which enabled multi-user mode.

maxLength36
account: Optional[Account]
Deprecatedid: Optional[str]
Deprecatedaccount_type: Optional[str]
name: Optional[str]

The name of the enrolled account.

created: Optional[datetime]

When the device was created.

formatdate-time
deleted: Optional[bool]

True if the device was deleted.

device_type: Optional[str]
Deprecatedgateway_device_id: Optional[str]
ip: Optional[str]

IPv4 or IPv6 address.

key: Optional[str]

The device’s public key.

key_type: Optional[str]

Type of the key.

last_seen: Optional[datetime]

When the device last connected to Cloudflare services.

formatdate-time
mac_address: Optional[str]

The device mac address.

model: Optional[str]

The device model name.

name: Optional[str]

The device name.

os_version: Optional[str]

The operating system version.

serial_number: Optional[str]

The device serial number.

tunnel_type: Optional[str]

Type of the tunnel connection used.

updated: Optional[datetime]

When the device was updated.

formatdate-time
user: Optional[User]
id: Optional[str]

UUID.

maxLength36
email: Optional[str]

The contact email address of the user.

maxLength90
name: Optional[str]

The enrolled device user’s name.

version: Optional[str]

The WARP client version.

DevicesDevices

List devices
zero_trust.devices.devices.list(DeviceListParams**kwargs) -> SyncCursorPagination[DeviceListResponse]
GET/accounts/{account_id}/devices/physical-devices
Get device
zero_trust.devices.devices.get(strdevice_id, DeviceGetParams**kwargs) -> DeviceGetResponse
GET/accounts/{account_id}/devices/physical-devices/{device_id}
Delete device
zero_trust.devices.devices.delete(strdevice_id, DeviceDeleteParams**kwargs) -> object
DELETE/accounts/{account_id}/devices/physical-devices/{device_id}
Revoke device registrations
zero_trust.devices.devices.revoke(strdevice_id, DeviceRevokeParams**kwargs) -> object
POST/accounts/{account_id}/devices/physical-devices/{device_id}/revoke
ModelsExpand Collapse
class DeviceListResponse:

A WARP Device.

id: str

The unique ID of the device.

active_registrations: int

The number of active registrations for the device. Active registrations are those which haven’t been revoked or deleted.

created_at: str

The RFC3339 timestamp when the device was created.

last_seen_at: Optional[str]

The RFC3339 timestamp when the device was last seen.

name: str

The name of the device.

updated_at: str

The RFC3339 timestamp when the device was last updated.

client_version: Optional[str]

Version of the WARP client.

deleted_at: Optional[str]

The RFC3339 timestamp when the device was deleted.

device_type: Optional[str]

The device operating system.

hardware_id: Optional[str]

A string that uniquely identifies the hardware or virtual machine (VM).

last_seen_registration: Optional[LastSeenRegistration]

The last seen registration for the device.

policy: Optional[LastSeenRegistrationPolicy]

A summary of the device profile evaluated for the registration.

id: str

The ID of the device settings profile.

default: bool

Whether the device settings profile is the default profile for the account.

deleted: bool

Whether the device settings profile was deleted.

name: str

The name of the device settings profile.

updated_at: str

The RFC3339 timestamp of when the device settings profile last changed for the registration.

last_seen_user: Optional[LastSeenUser]

The last user to use the WARP device.

id: Optional[str]

UUID.

maxLength36
email: Optional[str]

The contact email address of the user.

maxLength90
name: Optional[str]

The enrolled device user’s name.

mac_address: Optional[str]

The device MAC address.

manufacturer: Optional[str]

The device manufacturer.

model: Optional[str]

The model name of the device.

os_version: Optional[str]

The device operating system version number.

os_version_extra: Optional[str]

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

serial_number: Optional[str]

The device serial number.

class DeviceGetResponse:

A WARP Device.

id: str

The unique ID of the device.

active_registrations: int

The number of active registrations for the device. Active registrations are those which haven’t been revoked or deleted.

created_at: str

The RFC3339 timestamp when the device was created.

last_seen_at: Optional[str]

The RFC3339 timestamp when the device was last seen.

name: str

The name of the device.

updated_at: str

The RFC3339 timestamp when the device was last updated.

client_version: Optional[str]

Version of the WARP client.

deleted_at: Optional[str]

The RFC3339 timestamp when the device was deleted.

device_type: Optional[str]

The device operating system.

hardware_id: Optional[str]

A string that uniquely identifies the hardware or virtual machine (VM).

last_seen_registration: Optional[LastSeenRegistration]

The last seen registration for the device.

policy: Optional[LastSeenRegistrationPolicy]

A summary of the device profile evaluated for the registration.

id: str

The ID of the device settings profile.

default: bool

Whether the device settings profile is the default profile for the account.

deleted: bool

Whether the device settings profile was deleted.

name: str

The name of the device settings profile.

updated_at: str

The RFC3339 timestamp of when the device settings profile last changed for the registration.

last_seen_user: Optional[LastSeenUser]

The last user to use the WARP device.

id: Optional[str]

UUID.

maxLength36
email: Optional[str]

The contact email address of the user.

maxLength90
name: Optional[str]

The enrolled device user’s name.

mac_address: Optional[str]

The device MAC address.

manufacturer: Optional[str]

The device manufacturer.

model: Optional[str]

The model name of the device.

os_version: Optional[str]

The device operating system version number.

os_version_extra: Optional[str]

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

serial_number: Optional[str]

The device serial number.

DevicesResilience

DevicesResilienceGlobal WARP Override

Retrieve Global WARP override state
zero_trust.devices.resilience.global_warp_override.get(GlobalWARPOverrideGetParams**kwargs) -> GlobalWARPOverrideGetResponse
GET/accounts/{account_id}/devices/resilience/disconnect
Set Global WARP override state
zero_trust.devices.resilience.global_warp_override.create(GlobalWARPOverrideCreateParams**kwargs) -> GlobalWARPOverrideCreateResponse
POST/accounts/{account_id}/devices/resilience/disconnect
ModelsExpand Collapse
class GlobalWARPOverrideGetResponse:
disconnect: Optional[bool]

Disconnects all devices on the account using Global WARP override.

timestamp: Optional[datetime]

When the Global WARP override state was updated.

formatdate-time
class GlobalWARPOverrideCreateResponse:
disconnect: Optional[bool]

Disconnects all devices on the account using Global WARP override.

timestamp: Optional[datetime]

When the Global WARP override state was updated.

formatdate-time

DevicesRegistrations

List registrations
zero_trust.devices.registrations.list(RegistrationListParams**kwargs) -> SyncCursorPagination[RegistrationListResponse]
GET/accounts/{account_id}/devices/registrations
Get registration
zero_trust.devices.registrations.get(strregistration_id, RegistrationGetParams**kwargs) -> RegistrationGetResponse
GET/accounts/{account_id}/devices/registrations/{registration_id}
Delete registration
zero_trust.devices.registrations.delete(strregistration_id, RegistrationDeleteParams**kwargs) -> object
DELETE/accounts/{account_id}/devices/registrations/{registration_id}
Delete registrations
zero_trust.devices.registrations.bulk_delete(RegistrationBulkDeleteParams**kwargs) -> object
DELETE/accounts/{account_id}/devices/registrations
Revoke registrations
zero_trust.devices.registrations.revoke(RegistrationRevokeParams**kwargs) -> object
POST/accounts/{account_id}/devices/registrations/revoke
Unrevoke registrations
zero_trust.devices.registrations.unrevoke(RegistrationUnrevokeParams**kwargs) -> object
POST/accounts/{account_id}/devices/registrations/unrevoke
ModelsExpand Collapse
class RegistrationListResponse:

A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device.

id: str

The ID of the registration.

created_at: str

The RFC3339 timestamp when the registration was created.

device: Device

Device details embedded inside of a registration.

id: str

The ID of the device.

name: str

The name of the device.

client_version: Optional[str]

Version of the WARP client.

key: str

The public key used to connect to the Cloudflare network.

last_seen_at: str

The RFC3339 timestamp when the registration was last seen.

updated_at: str

The RFC3339 timestamp when the registration was last updated.

deleted_at: Optional[str]

The RFC3339 timestamp when the registration was deleted.

key_type: Optional[str]

The type of encryption key used by the WARP client for the active key. Currently ‘curve25519’ for WireGuard and ‘secp256r1’ for MASQUE.

policy: Optional[Policy]

The device settings profile assigned to this registration.

id: str

The ID of the device settings profile.

default: bool

Whether the device settings profile is the default profile for the account.

deleted: bool

Whether the device settings profile was deleted.

name: str

The name of the device settings profile.

updated_at: str

The RFC3339 timestamp of when the device settings profile last changed for the registration.

revoked_at: Optional[str]

The RFC3339 timestamp when the registration was revoked.

tunnel_type: Optional[str]

Type of the tunnel - wireguard or masque.

user: Optional[User]
id: Optional[str]

UUID.

maxLength36
email: Optional[str]

The contact email address of the user.

maxLength90
name: Optional[str]

The enrolled device user’s name.

virtual_ipv4: Optional[str]

The virtual IPv4 address assigned to the network interface of the tunnel for this registration.

virtual_ipv6: Optional[str]

The virtual IPv6 address assigned to the network interface of the tunnel for this registration.

class RegistrationGetResponse:

A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device.

id: str

The ID of the registration.

created_at: str

The RFC3339 timestamp when the registration was created.

device: Device

Device details embedded inside of a registration.

id: str

The ID of the device.

name: str

The name of the device.

client_version: Optional[str]

Version of the WARP client.

key: str

The public key used to connect to the Cloudflare network.

last_seen_at: str

The RFC3339 timestamp when the registration was last seen.

updated_at: str

The RFC3339 timestamp when the registration was last updated.

deleted_at: Optional[str]

The RFC3339 timestamp when the registration was deleted.

key_type: Optional[str]

The type of encryption key used by the WARP client for the active key. Currently ‘curve25519’ for WireGuard and ‘secp256r1’ for MASQUE.

policy: Optional[Policy]

The device settings profile assigned to this registration.

id: str

The ID of the device settings profile.

default: bool

Whether the device settings profile is the default profile for the account.

deleted: bool

Whether the device settings profile was deleted.

name: str

The name of the device settings profile.

updated_at: str

The RFC3339 timestamp of when the device settings profile last changed for the registration.

revoked_at: Optional[str]

The RFC3339 timestamp when the registration was revoked.

tunnel_type: Optional[str]

Type of the tunnel - wireguard or masque.

user: Optional[User]
id: Optional[str]

UUID.

maxLength36
email: Optional[str]

The contact email address of the user.

maxLength90
name: Optional[str]

The enrolled device user’s name.

virtual_ipv4: Optional[str]

The virtual IPv4 address assigned to the network interface of the tunnel for this registration.

virtual_ipv6: Optional[str]

The virtual IPv6 address assigned to the network interface of the tunnel for this registration.

DevicesDEX Tests

List Device DEX tests
zero_trust.devices.dex_tests.list(DEXTestListParams**kwargs) -> SyncV4PagePaginationArray[DEXTestListResponse]
GET/accounts/{account_id}/dex/devices/dex_tests
Get Device DEX test
zero_trust.devices.dex_tests.get(strdex_test_id, DEXTestGetParams**kwargs) -> DEXTestGetResponse
GET/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}
Create Device DEX test
zero_trust.devices.dex_tests.create(DEXTestCreateParams**kwargs) -> DEXTestCreateResponse
POST/accounts/{account_id}/dex/devices/dex_tests
Update Device DEX test
zero_trust.devices.dex_tests.update(strdex_test_id, DEXTestUpdateParams**kwargs) -> DEXTestUpdateResponse
PUT/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}
Delete Device DEX test
zero_trust.devices.dex_tests.delete(strdex_test_id, DEXTestDeleteParams**kwargs) -> DEXTestDeleteResponse
DELETE/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}
ModelsExpand Collapse
class SchemaData:

The configuration object which contains the details for the WARP client to conduct the test.

host: Optional[str]

The desired endpoint to test.

kind: Optional[str]

The type of test.

method: Optional[str]

The HTTP request method type.

class SchemaHTTP:
data: SchemaData

The configuration object which contains the details for the WARP client to conduct the test.

enabled: bool

Determines whether or not the test is active.

interval: str

How often the test will run.

name: str

The name of the DEX test. Must be unique.

description: Optional[str]

Additional details about the test.

target_policies: Optional[List[TargetPolicy]]

Device settings profiles targeted by this test.

id: Optional[str]

The id of the device settings profile.

default: Optional[bool]

Whether the profile is the account default.

name: Optional[str]

The name of the device settings profile.

targeted: Optional[bool]
test_id: Optional[str]

The unique identifier for the test.

maxLength32
class DEXTestListResponse:
data: Data

The configuration object which contains the details for the WARP client to conduct the test.

host: str

The desired endpoint to test.

kind: Literal["http", "traceroute"]

The type of test.

One of the following:
"http"
"traceroute"
method: Optional[Literal["GET"]]

The HTTP request method type.

enabled: bool

Determines whether or not the test is active.

interval: str

How often the test will run.

name: str

The name of the DEX test. Must be unique.

description: Optional[str]

Additional details about the test.

target_policies: Optional[List[TargetPolicy]]

DEX rules targeted by this test

id: str

The id of the DEX rule.

maxLength36
default: Optional[bool]

Whether the DEX rule is the account default.

name: Optional[str]

The name of the DEX rule.

targeted: Optional[bool]
test_id: Optional[str]

The unique identifier for the test.

maxLength32
class DEXTestGetResponse:
data: Data

The configuration object which contains the details for the WARP client to conduct the test.

host: str

The desired endpoint to test.

kind: Literal["http", "traceroute"]

The type of test.

One of the following:
"http"
"traceroute"
method: Optional[Literal["GET"]]

The HTTP request method type.

enabled: bool

Determines whether or not the test is active.

interval: str

How often the test will run.

name: str

The name of the DEX test. Must be unique.

description: Optional[str]

Additional details about the test.

target_policies: Optional[List[TargetPolicy]]

DEX rules targeted by this test

id: str

The id of the DEX rule.

maxLength36
default: Optional[bool]

Whether the DEX rule is the account default.

name: Optional[str]

The name of the DEX rule.

targeted: Optional[bool]
test_id: Optional[str]

The unique identifier for the test.

maxLength32
class DEXTestCreateResponse:
data: Data

The configuration object which contains the details for the WARP client to conduct the test.

host: str

The desired endpoint to test.

kind: Literal["http", "traceroute"]

The type of test.

One of the following:
"http"
"traceroute"
method: Optional[Literal["GET"]]

The HTTP request method type.

enabled: bool

Determines whether or not the test is active.

interval: str

How often the test will run.

name: str

The name of the DEX test. Must be unique.

description: Optional[str]

Additional details about the test.

target_policies: Optional[List[TargetPolicy]]

DEX rules targeted by this test

id: str

The id of the DEX rule.

maxLength36
default: Optional[bool]

Whether the DEX rule is the account default.

name: Optional[str]

The name of the DEX rule.

targeted: Optional[bool]
test_id: Optional[str]

The unique identifier for the test.

maxLength32
class DEXTestUpdateResponse:
data: Data

The configuration object which contains the details for the WARP client to conduct the test.

host: str

The desired endpoint to test.

kind: Literal["http", "traceroute"]

The type of test.

One of the following:
"http"
"traceroute"
method: Optional[Literal["GET"]]

The HTTP request method type.

enabled: bool

Determines whether or not the test is active.

interval: str

How often the test will run.

name: str

The name of the DEX test. Must be unique.

description: Optional[str]

Additional details about the test.

target_policies: Optional[List[TargetPolicy]]

DEX rules targeted by this test

id: str

The id of the DEX rule.

maxLength36
default: Optional[bool]

Whether the DEX rule is the account default.

name: Optional[str]

The name of the DEX rule.

targeted: Optional[bool]
test_id: Optional[str]

The unique identifier for the test.

maxLength32
class DEXTestDeleteResponse:
dex_tests: Optional[List[DEXTest]]
data: DEXTestData

The configuration object which contains the details for the WARP client to conduct the test.

host: str

The desired endpoint to test.

kind: Literal["http", "traceroute"]

The type of test.

One of the following:
"http"
"traceroute"
method: Optional[Literal["GET"]]

The HTTP request method type.

enabled: bool

Determines whether or not the test is active.

interval: str

How often the test will run.

name: str

The name of the DEX test. Must be unique.

description: Optional[str]

Additional details about the test.

target_policies: Optional[List[DEXTestTargetPolicy]]

DEX rules targeted by this test

id: str

The id of the DEX rule.

maxLength36
default: Optional[bool]

Whether the DEX rule is the account default.

name: Optional[str]

The name of the DEX rule.

targeted: Optional[bool]
test_id: Optional[str]

The unique identifier for the test.

maxLength32

DevicesIP Profiles

List IP profiles
zero_trust.devices.ip_profiles.list(IPProfileListParams**kwargs) -> SyncV4PagePaginationArray[IPProfile]
GET/accounts/{account_id}/devices/ip-profiles
Get IP profile
zero_trust.devices.ip_profiles.get(strprofile_id, IPProfileGetParams**kwargs) -> IPProfile
GET/accounts/{account_id}/devices/ip-profiles/{profile_id}
Create IP profile
zero_trust.devices.ip_profiles.create(IPProfileCreateParams**kwargs) -> IPProfile
POST/accounts/{account_id}/devices/ip-profiles
Update IP profile
zero_trust.devices.ip_profiles.update(strprofile_id, IPProfileUpdateParams**kwargs) -> IPProfile
PATCH/accounts/{account_id}/devices/ip-profiles/{profile_id}
Delete IP profile
zero_trust.devices.ip_profiles.delete(strprofile_id, IPProfileDeleteParams**kwargs) -> IPProfileDeleteResponse
DELETE/accounts/{account_id}/devices/ip-profiles/{profile_id}
ModelsExpand Collapse
class IPProfile:
id: str

The ID of the Device IP profile.

created_at: str

The RFC3339Nano timestamp when the Device IP profile was created.

description: Optional[str]

An optional description of the Device IP profile.

enabled: bool

Whether the Device IP profile is enabled.

match: str

The wirefilter expression to match registrations. Available values: “identity.name”, “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.saml_attributes”.

maxLength10000
name: str

A user-friendly name for the Device IP profile.

precedence: int

The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field.

subnet_id: str

The ID of the Subnet.

updated_at: str

The RFC3339Nano timestamp when the Device IP profile was last updated.

class IPProfileDeleteResponse:
id: Optional[str]

ID of the deleted Device IP profile.

DevicesDeployment Groups

List deployment groups
zero_trust.devices.deployment_groups.list(DeploymentGroupListParams**kwargs) -> SyncV4PagePaginationArray[DeploymentGroup]
GET/accounts/{account_id}/devices/deployment-groups
Get deployment group
zero_trust.devices.deployment_groups.get(strgroup_id, DeploymentGroupGetParams**kwargs) -> DeploymentGroup
GET/accounts/{account_id}/devices/deployment-groups/{group_id}
Create deployment group
zero_trust.devices.deployment_groups.create(DeploymentGroupCreateParams**kwargs) -> DeploymentGroup
POST/accounts/{account_id}/devices/deployment-groups
Update deployment group
zero_trust.devices.deployment_groups.edit(strgroup_id, DeploymentGroupEditParams**kwargs) -> DeploymentGroup
PATCH/accounts/{account_id}/devices/deployment-groups/{group_id}
Delete deployment group
zero_trust.devices.deployment_groups.delete(strgroup_id, DeploymentGroupDeleteParams**kwargs) -> DeploymentGroupDeleteResponse
DELETE/accounts/{account_id}/devices/deployment-groups/{group_id}
ModelsExpand Collapse
class DeploymentGroup:
id: str

The ID of the deployment group.

created_at: str

The RFC3339Nano timestamp when the deployment group was created.

name: str

A user-friendly name for the deployment group.

maxLength255
minLength1
updated_at: str

The RFC3339Nano timestamp when the deployment group was last updated.

version_config: List[VersionConfig]

Contains version configurations for different target environments.

target_environment: Optional[str]

The target environment for the client version (e.g., windows, macos).

version: str

The specific client version to deploy.

policy_ids: Optional[List[str]]

Contains a list of policy IDs assigned to this deployment group.

class DeploymentGroupDeleteResponse:
id: Optional[str]

The ID of a deleted deployment group.

DevicesNetworks

List your device managed networks
zero_trust.devices.networks.list(NetworkListParams**kwargs) -> SyncSinglePage[DeviceNetwork]
GET/accounts/{account_id}/devices/networks
Get device managed network details
zero_trust.devices.networks.get(strnetwork_id, NetworkGetParams**kwargs) -> DeviceNetwork
GET/accounts/{account_id}/devices/networks/{network_id}
Create a device managed network
zero_trust.devices.networks.create(NetworkCreateParams**kwargs) -> DeviceNetwork
POST/accounts/{account_id}/devices/networks
Update a device managed network
zero_trust.devices.networks.update(strnetwork_id, NetworkUpdateParams**kwargs) -> DeviceNetwork
PUT/accounts/{account_id}/devices/networks/{network_id}
Delete a device managed network
zero_trust.devices.networks.delete(strnetwork_id, NetworkDeleteParams**kwargs) -> SyncSinglePage[DeviceNetwork]
DELETE/accounts/{account_id}/devices/networks/{network_id}
ModelsExpand Collapse
class DeviceNetwork:
config: Optional[Config]

The configuration object containing information for the WARP client to detect the managed network.

tls_sockaddr: str

A network address of the form “host:port” that the WARP client will use to detect the presence of a TLS host.

sha256: Optional[str]

The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate.

name: Optional[str]

The name of the device managed network. This name must be unique.

network_id: Optional[str]

API UUID.

maxLength36
type: Optional[Literal["tls"]]

The type of device managed network.

DevicesFleet Status

Get the live status of a latest device
zero_trust.devices.fleet_status.get(strdevice_id, FleetStatusGetParams**kwargs) -> FleetStatusGetResponse
GET/accounts/{account_id}/dex/devices/{device_id}/fleet-status/live
ModelsExpand Collapse
class FleetStatusGetResponse:
colo: str

Cloudflare colo airport code.

device_id: str

Device identifier (UUID v4)

mode: str

The mode under which the WARP client is run.

platform: str

Operating system.

status: str

Network status.

timestamp: str
version: str

WARP client version.

always_on: Optional[bool]
battery_charging: Optional[bool]
battery_cycles: Optional[int]
formatint64
battery_pct: Optional[float]
formatfloat
connection_type: Optional[str]
cpu_pct: Optional[float]
formatfloat
cpu_pct_by_app: Optional[List[CPUPctByApp]]
cpu_pct: Optional[float]

CPU usage percentage, on a scale of 0 to 100.

formatfloat
maximum100
minimum0
name: Optional[str]

Application name.

device_ipv4: Optional[DeviceIPV4]
address: Optional[str]
asn: Optional[int]
aso: Optional[str]
location: Optional[DeviceIPV4Location]
city: Optional[str]
country_iso: Optional[str]
state_iso: Optional[str]
zip: Optional[str]
name: Optional[str]
netmask: Optional[str]
version: Optional[int]

IP version (1 for IPv4, 2 for IPv6, 0 if unknown).

device_ipv6: Optional[DeviceIPV6]
address: Optional[str]
asn: Optional[int]
aso: Optional[str]
location: Optional[DeviceIPV6Location]
city: Optional[str]
country_iso: Optional[str]
state_iso: Optional[str]
zip: Optional[str]
name: Optional[str]
netmask: Optional[str]
version: Optional[int]

IP version (1 for IPv4, 2 for IPv6, 0 if unknown).

device_name: Optional[str]

Device identifier (human readable).

Deprecateddevice_registration: Optional[str]

Use registrationId instead.

Deprecated: use registrationId. Device registration identifier (UUID).

disk_read_bps: Optional[int]
formatint64
disk_usage_pct: Optional[float]
formatfloat
disk_write_bps: Optional[int]
formatint64
doh_subdomain: Optional[str]
estimated_loss_pct: Optional[float]
formatfloat
firewall_enabled: Optional[bool]
gateway_ipv4: Optional[GatewayIPV4]
address: Optional[str]
asn: Optional[int]
aso: Optional[str]
location: Optional[GatewayIPV4Location]
city: Optional[str]
country_iso: Optional[str]
state_iso: Optional[str]
zip: Optional[str]
name: Optional[str]
netmask: Optional[str]
version: Optional[int]

IP version (1 for IPv4, 2 for IPv6, 0 if unknown).

gateway_ipv6: Optional[GatewayIPV6]
address: Optional[str]
asn: Optional[int]
aso: Optional[str]
location: Optional[GatewayIPV6Location]
city: Optional[str]
country_iso: Optional[str]
state_iso: Optional[str]
zip: Optional[str]
name: Optional[str]
netmask: Optional[str]
version: Optional[int]

IP version (1 for IPv4, 2 for IPv6, 0 if unknown).

handshake_latency_ms: Optional[float]
formatint64
isp_ipv4: Optional[ISPIPV4]
address: Optional[str]
asn: Optional[int]
aso: Optional[str]
location: Optional[ISPIPV4Location]
city: Optional[str]
country_iso: Optional[str]
state_iso: Optional[str]
zip: Optional[str]
name: Optional[str]
netmask: Optional[str]
version: Optional[int]

IP version (1 for IPv4, 2 for IPv6, 0 if unknown).

isp_ipv6: Optional[ISPIPV6]
address: Optional[str]
asn: Optional[int]
aso: Optional[str]
location: Optional[ISPIPV6Location]
city: Optional[str]
country_iso: Optional[str]
state_iso: Optional[str]
zip: Optional[str]
name: Optional[str]
netmask: Optional[str]
version: Optional[int]

IP version (1 for IPv4, 2 for IPv6, 0 if unknown).

metal: Optional[str]
network_rcvd_bps: Optional[int]
formatint64
network_sent_bps: Optional[int]
formatint64
network_ssid: Optional[str]
person_email: Optional[str]

User contact email address

ram_available_kb: Optional[int]
formatint64
ram_used_pct: Optional[float]
formatfloat
ram_used_pct_by_app: Optional[List[RamUsedPctByApp]]
name: Optional[str]

Application name.

ram_used_pct: Optional[float]

RAM usage percentage, on a scale of 0 to 100.

formatfloat
maximum100
minimum0
registration_id: Optional[str]

Device registration identifier (UUID v4). On multi-user devices, this uniquely identifies a user’s registration on the device.

rtt: Optional[RTT]

Round-trip time statistics for the WARP tunnel.

min_rtt_us: Optional[RTTMinRTTUs]

Minimum round-trip time in microseconds.

downstream: Optional[int]
upstream: Optional[int]
rtt_us: Optional[RTTRTTUs]

Round-trip time in microseconds.

downstream: Optional[int]
upstream: Optional[int]
rtt_var_us: Optional[RTTRTTVarUs]

Round-trip time variance in microseconds.

downstream: Optional[int]
upstream: Optional[int]
switch_locked: Optional[bool]
tunnel_stats: Optional[TunnelStats]

WARP tunnel packet and byte counters.

bytes_lost: Optional[TunnelStatsBytesLost]

Number of bytes lost, split by direction.

downstream: Optional[int]
upstream: Optional[int]
bytes_received: Optional[TunnelStatsBytesReceived]

Number of bytes received, split by direction.

downstream: Optional[int]
upstream: Optional[int]
bytes_retransmitted: Optional[TunnelStatsBytesRetransmitted]

Number of bytes retransmitted, split by direction.

downstream: Optional[int]
upstream: Optional[int]
bytes_sent: Optional[TunnelStatsBytesSent]

Number of bytes sent, split by direction.

downstream: Optional[int]
upstream: Optional[int]
packets_lost: Optional[TunnelStatsPacketsLost]

Number of packets lost, split by direction.

downstream: Optional[int]
upstream: Optional[int]
packets_received: Optional[TunnelStatsPacketsReceived]

Number of packets received, split by direction.

downstream: Optional[int]
upstream: Optional[int]
packets_retransmitted: Optional[TunnelStatsPacketsRetransmitted]

Number of packets retransmitted, split by direction.

downstream: Optional[int]
upstream: Optional[int]
packets_sent: Optional[TunnelStatsPacketsSent]

Number of packets sent, split by direction.

downstream: Optional[int]
upstream: Optional[int]
stats_window_ms: Optional[int]

The measurement window duration in milliseconds.

tunnel_type: Optional[str]
wifi_strength_dbm: Optional[int]
formatint64

DevicesPolicies

ModelsExpand Collapse
class DevicePolicyCertificates:
enabled: bool

The current status of the device policy certificate provisioning feature for WARP clients.

class FallbackDomain:
suffix: str

The domain suffix to match when resolving locally.

description: Optional[str]

A description of the fallback domain, displayed in the client UI.

maxLength100
dns_server: Optional[List[str]]

A list of IP addresses to handle domain resolution.

Optional[List[FallbackDomain]]
suffix: str

The domain suffix to match when resolving locally.

description: Optional[str]

A description of the fallback domain, displayed in the client UI.

maxLength100
dns_server: Optional[List[str]]

A list of IP addresses to handle domain resolution.

class SettingsPolicy:
allow_mode_switch: Optional[bool]

Whether to allow the user to switch WARP between modes.

allow_updates: Optional[bool]

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Optional[bool]

Whether to allow devices to leave the organization.

auto_connect: Optional[float]

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Optional[float]

Turn on the captive portal after the specified amount of time.

default: Optional[bool]

Whether the policy is the default policy for an account.

description: Optional[str]

A description of the policy.

maxLength500
disable_auto_fallback: Optional[bool]

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

dns_search_suffixes: Optional[List[DNSSearchSuffix]]

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: str

The DNS search suffix to append when resolving short hostnames.

description: Optional[str]

A description of the DNS search suffix.

enabled: Optional[bool]

Whether the policy will be applied to matching devices.

exclude: Optional[List[SplitTunnelExclude]]

List of routes excluded in the WARP client’s tunnel.

One of the following:
class TeamsDevicesExcludeSplitTunnelWithAddress:
address: str

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesExcludeSplitTunnelWithHost:
host: str

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
exclude_office_ips: Optional[bool]

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains: Optional[List[FallbackDomain]]
suffix: str

The domain suffix to match when resolving locally.

description: Optional[str]

A description of the fallback domain, displayed in the client UI.

maxLength100
dns_server: Optional[List[str]]

A list of IP addresses to handle domain resolution.

gateway_unique_id: Optional[str]
global_acceleration: Optional[GlobalAcceleration]

Global Acceleration settings for China. When configured, WARP clients connect to the Global Accelerator addresses instead of the default ones. Please contact your account representative to enable this feature on your account. See https://developers.cloudflare.com/china-network/concepts/global-acceleration/.

api_endpoints: List[str]

IP:port entries for the API endpoints.

enabled: bool

Global acceleration settings are used only when “enabled”.

masque_endpoints: List[str]

IP:port entries for the MASQUE tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

wireguard_endpoints: List[str]

IP:port entries for the WireGuard tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

include: Optional[List[SplitTunnelInclude]]

List of routes included in the WARP client’s tunnel.

One of the following:
class TeamsDevicesIncludeSplitTunnelWithAddress:
address: str

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesIncludeSplitTunnelWithHost:
host: str

The domain name to include in the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
lan_allow_minutes: Optional[float]

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size: Optional[float]

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

match: Optional[str]

The wirefilter expression to match devices. Available values: “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.service_token_uuid”, “identity.saml_attributes”, “network”, “os.name”, “os.version”.

maxLength500
name: Optional[str]

The name of the device settings profile.

maxLength100
policy_id: Optional[str]
maxLength36
precedence: Optional[float]

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

register_interface_ip_with_dns: Optional[bool]

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Optional[bool]

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: Optional[ServiceModeV2]
mode: Optional[str]

The mode to run the WARP client under.

port: Optional[float]

The port number when used with proxy mode.

support_url: Optional[str]

The URL to launch when the Send Feedback button is clicked.

switch_locked: Optional[bool]

Whether to allow the user to turn off the WARP switch and disconnect the client.

target_tests: Optional[List[TargetTest]]
id: Optional[str]

The id of the DEX test targeting this policy.

name: Optional[str]

The name of the DEX test targeting this policy.

tunnel_protocol: Optional[str]

Determines which tunnel protocol to use.

virtual_networks: Optional[VirtualNetworks]

Virtual network access settings for the device.

allowed: List[str]

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: str

The default virtual network ID. Must be included in the allowed list.

formatuuid
One of the following:
class TeamsDevicesExcludeSplitTunnelWithAddress:
address: str

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesExcludeSplitTunnelWithHost:
host: str

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
One of the following:
class TeamsDevicesIncludeSplitTunnelWithAddress:
address: str

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesIncludeSplitTunnelWithHost:
host: str

The domain name to include in the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

DevicesPoliciesDefault

Get the default device settings profile
zero_trust.devices.policies.default.get(DefaultGetParams**kwargs) -> DefaultGetResponse
GET/accounts/{account_id}/devices/policy
Update the default device settings profile
zero_trust.devices.policies.default.edit(DefaultEditParams**kwargs) -> DefaultEditResponse
PATCH/accounts/{account_id}/devices/policy
ModelsExpand Collapse
class DefaultGetResponse:
allow_mode_switch: Optional[bool]

Whether to allow the user to switch WARP between modes.

allow_updates: Optional[bool]

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Optional[bool]

Whether to allow devices to leave the organization.

auto_connect: Optional[float]

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Optional[float]

Turn on the captive portal after the specified amount of time.

default: Optional[bool]

Whether the policy will be applied to matching devices.

disable_auto_fallback: Optional[bool]

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

dns_search_suffixes: Optional[List[DNSSearchSuffix]]

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: str

The DNS search suffix to append when resolving short hostnames.

description: Optional[str]

A description of the DNS search suffix.

enabled: Optional[bool]

Whether the policy will be applied to matching devices.

exclude: Optional[List[SplitTunnelExclude]]

List of routes excluded in the WARP client’s tunnel.

One of the following:
class TeamsDevicesExcludeSplitTunnelWithAddress:
address: str

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesExcludeSplitTunnelWithHost:
host: str

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
exclude_office_ips: Optional[bool]

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains: Optional[List[FallbackDomain]]
suffix: str

The domain suffix to match when resolving locally.

description: Optional[str]

A description of the fallback domain, displayed in the client UI.

maxLength100
dns_server: Optional[List[str]]

A list of IP addresses to handle domain resolution.

gateway_unique_id: Optional[str]
global_acceleration: Optional[GlobalAcceleration]

Global Acceleration settings for China. When configured, WARP clients connect to the Global Accelerator addresses instead of the default ones. Please contact your account representative to enable this feature on your account. See https://developers.cloudflare.com/china-network/concepts/global-acceleration/.

api_endpoints: List[str]

IP:port entries for the API endpoints.

enabled: bool

Global acceleration settings are used only when “enabled”.

masque_endpoints: List[str]

IP:port entries for the MASQUE tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

wireguard_endpoints: List[str]

IP:port entries for the WireGuard tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

include: Optional[List[SplitTunnelInclude]]

List of routes included in the WARP client’s tunnel.

One of the following:
class TeamsDevicesIncludeSplitTunnelWithAddress:
address: str

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesIncludeSplitTunnelWithHost:
host: str

The domain name to include in the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
policy_id: Optional[str]
maxLength36
register_interface_ip_with_dns: Optional[bool]

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Optional[bool]

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: Optional[ServiceModeV2]
mode: Optional[str]

The mode to run the WARP client under.

port: Optional[float]

The port number when used with proxy mode.

support_url: Optional[str]

The URL to launch when the Send Feedback button is clicked.

switch_locked: Optional[bool]

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol: Optional[str]

Determines which tunnel protocol to use.

virtual_networks: Optional[VirtualNetworks]

Virtual network access settings for the device.

allowed: List[str]

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: str

The default virtual network ID. Must be included in the allowed list.

formatuuid
class DefaultEditResponse:
allow_mode_switch: Optional[bool]

Whether to allow the user to switch WARP between modes.

allow_updates: Optional[bool]

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Optional[bool]

Whether to allow devices to leave the organization.

auto_connect: Optional[float]

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Optional[float]

Turn on the captive portal after the specified amount of time.

default: Optional[bool]

Whether the policy will be applied to matching devices.

disable_auto_fallback: Optional[bool]

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

dns_search_suffixes: Optional[List[DNSSearchSuffix]]

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: str

The DNS search suffix to append when resolving short hostnames.

description: Optional[str]

A description of the DNS search suffix.

enabled: Optional[bool]

Whether the policy will be applied to matching devices.

exclude: Optional[List[SplitTunnelExclude]]

List of routes excluded in the WARP client’s tunnel.

One of the following:
class TeamsDevicesExcludeSplitTunnelWithAddress:
address: str

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesExcludeSplitTunnelWithHost:
host: str

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
exclude_office_ips: Optional[bool]

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains: Optional[List[FallbackDomain]]
suffix: str

The domain suffix to match when resolving locally.

description: Optional[str]

A description of the fallback domain, displayed in the client UI.

maxLength100
dns_server: Optional[List[str]]

A list of IP addresses to handle domain resolution.

gateway_unique_id: Optional[str]
global_acceleration: Optional[GlobalAcceleration]

Global Acceleration settings for China. When configured, WARP clients connect to the Global Accelerator addresses instead of the default ones. Please contact your account representative to enable this feature on your account. See https://developers.cloudflare.com/china-network/concepts/global-acceleration/.

api_endpoints: List[str]

IP:port entries for the API endpoints.

enabled: bool

Global acceleration settings are used only when “enabled”.

masque_endpoints: List[str]

IP:port entries for the MASQUE tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

wireguard_endpoints: List[str]

IP:port entries for the WireGuard tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

include: Optional[List[SplitTunnelInclude]]

List of routes included in the WARP client’s tunnel.

One of the following:
class TeamsDevicesIncludeSplitTunnelWithAddress:
address: str

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
class TeamsDevicesIncludeSplitTunnelWithHost:
host: str

The domain name to include in the tunnel. If host is present, address must not be present.

description: Optional[str]

A description of the Split Tunnel item, displayed in the client UI.

maxLength100
policy_id: Optional[str]
maxLength36
register_interface_ip_with_dns: Optional[bool]

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Optional[bool]

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: Optional[ServiceModeV2]
mode: Optional[str]

The mode to run the WARP client under.

port: Optional[float]

The port number when used with proxy mode.

support_url: Optional[str]

The URL to launch when the Send Feedback button is clicked.

switch_locked: Optional[bool]

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol: Optional[str]

Determines which tunnel protocol to use.

virtual_networks: Optional[VirtualNetworks]

Virtual network access settings for the device.

allowed: List[str]

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: str

The default virtual network ID. Must be included in the allowed list.

formatuuid

DevicesPoliciesDefaultExcludes

Get the Split Tunnel exclude list
zero_trust.devices.policies.default.excludes.get(ExcludeGetParams**kwargs) -> SyncSinglePage[SplitTunnelExclude]
GET/accounts/{account_id}/devices/policy/exclude
Set the Split Tunnel exclude list
zero_trust.devices.policies.default.excludes.update(ExcludeUpdateParams**kwargs) -> SyncSinglePage[SplitTunnelExclude]
PUT/accounts/{account_id}/devices/policy/exclude

DevicesPoliciesDefaultIncludes

Get the Split Tunnel include list
zero_trust.devices.policies.default.includes.get(IncludeGetParams**kwargs) -> SyncSinglePage[SplitTunnelInclude]
GET/accounts/{account_id}/devices/policy/include
Set the Split Tunnel include list
zero_trust.devices.policies.default.includes.update(IncludeUpdateParams**kwargs) -> SyncSinglePage[SplitTunnelInclude]
PUT/accounts/{account_id}/devices/policy/include

DevicesPoliciesDefaultFallback Domains

Get your Local Domain Fallback list
zero_trust.devices.policies.default.fallback_domains.get(FallbackDomainGetParams**kwargs) -> SyncSinglePage[FallbackDomain]
GET/accounts/{account_id}/devices/policy/fallback_domains
Set your Local Domain Fallback list
zero_trust.devices.policies.default.fallback_domains.update(FallbackDomainUpdateParams**kwargs) -> SyncSinglePage[FallbackDomain]
PUT/accounts/{account_id}/devices/policy/fallback_domains

DevicesPoliciesDefaultCertificates

Get device certificate provisioning status
zero_trust.devices.policies.default.certificates.get(CertificateGetParams**kwargs) -> DevicePolicyCertificates
GET/zones/{zone_id}/devices/policy/certificates
Update device certificate provisioning status
zero_trust.devices.policies.default.certificates.edit(CertificateEditParams**kwargs) -> DevicePolicyCertificates
PATCH/zones/{zone_id}/devices/policy/certificates

DevicesPoliciesCustom

List device settings profiles
zero_trust.devices.policies.custom.list(CustomListParams**kwargs) -> SyncSinglePage[SettingsPolicy]
GET/accounts/{account_id}/devices/policies
Get device settings profile by ID
zero_trust.devices.policies.custom.get(strpolicy_id, CustomGetParams**kwargs) -> SettingsPolicy
GET/accounts/{account_id}/devices/policy/{policy_id}
Create a device settings profile
zero_trust.devices.policies.custom.create(CustomCreateParams**kwargs) -> SettingsPolicy
POST/accounts/{account_id}/devices/policy
Update a device settings profile
zero_trust.devices.policies.custom.edit(strpolicy_id, CustomEditParams**kwargs) -> SettingsPolicy
PATCH/accounts/{account_id}/devices/policy/{policy_id}
Delete a device settings profile
zero_trust.devices.policies.custom.delete(strpolicy_id, CustomDeleteParams**kwargs) -> SyncSinglePage[SettingsPolicy]
DELETE/accounts/{account_id}/devices/policy/{policy_id}

DevicesPoliciesCustomExcludes

Get the Split Tunnel exclude list for a device settings profile
zero_trust.devices.policies.custom.excludes.get(strpolicy_id, ExcludeGetParams**kwargs) -> SyncSinglePage[SplitTunnelExclude]
GET/accounts/{account_id}/devices/policy/{policy_id}/exclude
Set the Split Tunnel exclude list for a device settings profile
zero_trust.devices.policies.custom.excludes.update(strpolicy_id, ExcludeUpdateParams**kwargs) -> SyncSinglePage[SplitTunnelExclude]
PUT/accounts/{account_id}/devices/policy/{policy_id}/exclude

DevicesPoliciesCustomIncludes

Get the Split Tunnel include list for a device settings profile
zero_trust.devices.policies.custom.includes.get(strpolicy_id, IncludeGetParams**kwargs) -> SyncSinglePage[SplitTunnelInclude]
GET/accounts/{account_id}/devices/policy/{policy_id}/include
Set the Split Tunnel include list for a device settings profile
zero_trust.devices.policies.custom.includes.update(strpolicy_id, IncludeUpdateParams**kwargs) -> SyncSinglePage[SplitTunnelInclude]
PUT/accounts/{account_id}/devices/policy/{policy_id}/include

DevicesPoliciesCustomFallback Domains

Get the Local Domain Fallback list for a device settings profile
zero_trust.devices.policies.custom.fallback_domains.get(strpolicy_id, FallbackDomainGetParams**kwargs) -> SyncSinglePage[FallbackDomain]
GET/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains
Set the Local Domain Fallback list for a device settings profile
zero_trust.devices.policies.custom.fallback_domains.update(strpolicy_id, FallbackDomainUpdateParams**kwargs) -> SyncSinglePage[FallbackDomain]
PUT/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains

DevicesPosture

List device posture rules
zero_trust.devices.posture.list(PostureListParams**kwargs) -> SyncSinglePage[DevicePostureRule]
GET/accounts/{account_id}/devices/posture
Get device posture rule details
zero_trust.devices.posture.get(strrule_id, PostureGetParams**kwargs) -> DevicePostureRule
GET/accounts/{account_id}/devices/posture/{rule_id}
Create a device posture rule
zero_trust.devices.posture.create(PostureCreateParams**kwargs) -> DevicePostureRule
POST/accounts/{account_id}/devices/posture
Update a device posture rule
zero_trust.devices.posture.update(strrule_id, PostureUpdateParams**kwargs) -> DevicePostureRule
PUT/accounts/{account_id}/devices/posture/{rule_id}
Delete a device posture rule
zero_trust.devices.posture.delete(strrule_id, PostureDeleteParams**kwargs) -> PostureDeleteResponse
DELETE/accounts/{account_id}/devices/posture/{rule_id}
ModelsExpand Collapse
str
class ClientCertificateInput:
certificate_id: str

UUID of Cloudflare managed certificate.

maxLength36
cn: str

Common Name that is protected by the certificate.

class CrowdstrikeInput:
connection_id: str

Posture Integration ID.

last_seen: Optional[str]

For more details on last seen, please refer to the Crowdstrike documentation.

operator: Optional[Literal["<", "<=", ">", 2 more]]

Operator.

One of the following:
"<"
"<="
">"
">="
"=="
os: Optional[str]

Os Version.

overall: Optional[str]

Overall.

sensor_config: Optional[str]

SensorConfig.

state: Optional[Literal["online", "offline", "unknown"]]

For more details on state, please refer to the Crowdstrike documentation.

One of the following:
"online"
"offline"
"unknown"
version: Optional[str]

Version.

version_operator: Optional[Literal["<", "<=", ">", 2 more]]

Version Operator.

One of the following:
"<"
"<="
">"
">="
"=="
DeviceInput

The value to be checked against.

One of the following:
class FileInput:
operating_system: Literal["windows", "linux", "mac"]

Operating system.

One of the following:
"windows"
"linux"
"mac"
path: str

File path.

exists: Optional[bool]

Whether or not file exists.

sha256: Optional[str]

SHA-256.

thumbprint: Optional[str]

Signing certificate thumbprint.

class UniqueClientIDInput:
id: str

List ID.

operating_system: Literal["android", "ios", "chromeos"]

Operating System.

One of the following:
"android"
"ios"
"chromeos"
class DomainJoinedInput:
operating_system: Literal["windows"]

Operating System.

domain: Optional[str]

Domain.

class OSVersionInput:
operating_system: Literal["windows"]

Operating System.

operator: Literal["<", "<=", ">", 2 more]

Operator.

One of the following:
"<"
"<="
">"
">="
"=="
version: str

Version of OS.

os_distro_name: Optional[str]

Operating System Distribution Name (linux only).

os_distro_revision: Optional[str]

Version of OS Distribution (linux only).

os_version_extra: Optional[str]

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

class FirewallInput:
enabled: bool

Enabled.

operating_system: Literal["windows", "mac"]

Operating System.

One of the following:
"windows"
"mac"
class SentineloneInput:
operating_system: Literal["windows", "linux", "mac"]

Operating system.

One of the following:
"windows"
"linux"
"mac"
path: str

File path.

sha256: Optional[str]

SHA-256.

thumbprint: Optional[str]

Signing certificate thumbprint.

class TeamsDevicesCarbonblackInputRequest:
operating_system: Literal["windows", "linux", "mac"]

Operating system.

One of the following:
"windows"
"linux"
"mac"
path: str

File path.

sha256: Optional[str]

SHA-256.

thumbprint: Optional[str]

Signing certificate thumbprint.

class TeamsDevicesAccessSerialNumberListInputRequest:
id: str

UUID of Access List.

maxLength36
class DiskEncryptionInput:
check_disks: Optional[List[CarbonblackInput]]

List of volume names to be checked for encryption.

require_all: Optional[bool]

Whether to check all disks for encryption.

class TeamsDevicesApplicationInputRequest:
operating_system: Literal["windows", "linux", "mac"]

Operating system.

One of the following:
"windows"
"linux"
"mac"
path: str

Path for the application.

sha256: Optional[str]

SHA-256.

thumbprint: Optional[str]

Signing certificate thumbprint.

class ClientCertificateInput:
certificate_id: str

UUID of Cloudflare managed certificate.

maxLength36
cn: str

Common Name that is protected by the certificate.

class TeamsDevicesClientCertificateV2InputRequest:
certificate_id: str

UUID of Cloudflare managed certificate.

maxLength36
check_private_key: bool

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

operating_system: Literal["windows", "linux", "mac"]

Operating system.

One of the following:
"windows"
"linux"
"mac"
cn: Optional[str]

Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables.

extended_key_usage: Optional[List[Literal["clientAuth", "emailProtection"]]]

List of values indicating purposes for which the certificate public key can be used.

One of the following:
"clientAuth"
"emailProtection"
locations: Optional[TeamsDevicesClientCertificateV2InputRequestLocations]
paths: Optional[List[str]]

List of paths to check for client certificate on linux.

trust_stores: Optional[List[Literal["system", "user"]]]

List of trust stores to check for client certificate.

One of the following:
"system"
"user"
subject_alternative_names: Optional[List[str]]

List of certificate Subject Alternative Names.

class TeamsDevicesAntivirusInputRequest:
update_window_days: Optional[float]

Number of days that the antivirus should be updated within.

class WorkspaceOneInput:
compliance_status: Literal["compliant", "noncompliant", "unknown"]

Compliance Status.

One of the following:
"compliant"
"noncompliant"
"unknown"
connection_id: str

Posture Integration ID.

class CrowdstrikeInput:
connection_id: str

Posture Integration ID.

last_seen: Optional[str]

For more details on last seen, please refer to the Crowdstrike documentation.

operator: Optional[Literal["<", "<=", ">", 2 more]]

Operator.

One of the following:
"<"
"<="
">"
">="
"=="
os: Optional[str]

Os Version.

overall: Optional[str]

Overall.

sensor_config: Optional[str]

SensorConfig.

state: Optional[Literal["online", "offline", "unknown"]]

For more details on state, please refer to the Crowdstrike documentation.

One of the following:
"online"
"offline"
"unknown"
version: Optional[str]

Version.

version_operator: Optional[Literal["<", "<=", ">", 2 more]]

Version Operator.

One of the following:
"<"
"<="
">"
">="
"=="
class IntuneInput:
compliance_status: Literal["compliant", "noncompliant", "unknown", 3 more]

Compliance Status.

One of the following:
"compliant"
"noncompliant"
"unknown"
"notapplicable"
"ingraceperiod"
"error"
connection_id: str

Posture Integration ID.

class KolideInput:
connection_id: str

Posture Integration ID.

auth_state: Optional[List[Literal["Good", "Notified", "Will Block", "Blocked"]]]

The set of Kolide device authentication states that pass the posture check. Device must match one of the specified states.

One of the following:
"Good"
"Notified"
"Will Block"
"Blocked"
count_operator: Optional[Literal["<", "<=", ">", 2 more]]

Count Operator.

One of the following:
"<"
"<="
">"
">="
"=="
issue_count: Optional[str]

The Number of Issues.

class TaniumInput:
connection_id: str

Posture Integration ID.

eid_last_seen: Optional[str]

For more details on eid last seen, refer to the Tanium documentation.

operator: Optional[Literal["<", "<=", ">", 2 more]]

Operator to evaluate risk_level or eid_last_seen.

One of the following:
"<"
"<="
">"
">="
"=="
risk_level: Optional[Literal["low", "medium", "high", "critical"]]

For more details on risk level, refer to the Tanium documentation.

One of the following:
"low"
"medium"
"high"
"critical"
score_operator: Optional[Literal["<", "<=", ">", 2 more]]

Score Operator.

One of the following:
"<"
"<="
">"
">="
"=="
total_score: Optional[float]

For more details on total score, refer to the Tanium documentation.

class SentineloneS2sInput:
connection_id: str

Posture Integration ID.

active_threats: Optional[float]

The Number of active threats.

infected: Optional[bool]

Whether device is infected.

is_active: Optional[bool]

Whether device is active.

network_status: Optional[Literal["connected", "disconnected", "disconnecting", "connecting"]]

Network status of device.

One of the following:
"connected"
"disconnected"
"disconnecting"
"connecting"
operational_state: Optional[Literal["na", "partially_disabled", "auto_fully_disabled", 4 more]]

Agent operational state.

One of the following:
"na"
"partially_disabled"
"auto_fully_disabled"
"fully_disabled"
"auto_partially_disabled"
"disabled_error"
"db_corruption"
operator: Optional[Literal["<", "<=", ">", 2 more]]

Operator.

One of the following:
"<"
"<="
">"
">="
"=="
class TeamsDevicesCustomS2sInputRequest:
connection_id: str

Posture Integration ID.

operator: Literal["<", "<=", ">", 2 more]

Operator.

One of the following:
"<"
"<="
">"
">="
"=="
score: float

A value between 0-100 assigned to devices set by the 3rd party posture provider.

class DeviceMatch:
platform: Optional[Literal["windows", "mac", "linux", 3 more]]
One of the following:
"windows"
"mac"
"linux"
"android"
"ios"
"chromeos"
class DevicePostureRule:
id: Optional[str]

API UUID.

maxLength36
description: Optional[str]

The description of the device posture rule.

expiration: Optional[str]

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

input: Optional[DeviceInput]

The value to be checked against.

match: Optional[List[DeviceMatch]]

The conditions that the client must match to run the rule.

platform: Optional[Literal["windows", "mac", "linux", 3 more]]
One of the following:
"windows"
"mac"
"linux"
"android"
"ios"
"chromeos"
name: Optional[str]

The name of the device posture rule.

schedule: Optional[str]

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

type: Optional[Literal["file", "application", "tanium", 20 more]]

The type of device posture rule.

One of the following:
"file"
"application"
"tanium"
"gateway"
"warp"
"disk_encryption"
"serial_number"
"sentinelone"
"carbonblack"
"firewall"
"os_version"
"domain_joined"
"client_certificate"
"client_certificate_v2"
"antivirus"
"unique_client_id"
"kolide"
"tanium_s2s"
"crowdstrike_s2s"
"intune"
"workspace_one"
"sentinelone_s2s"
"custom_s2s"
class DiskEncryptionInput:
check_disks: Optional[List[CarbonblackInput]]

List of volume names to be checked for encryption.

require_all: Optional[bool]

Whether to check all disks for encryption.

class DomainJoinedInput:
operating_system: Literal["windows"]

Operating System.

domain: Optional[str]

Domain.

class FileInput:
operating_system: Literal["windows", "linux", "mac"]

Operating system.

One of the following:
"windows"
"linux"
"mac"
path: str

File path.

exists: Optional[bool]

Whether or not file exists.

sha256: Optional[str]

SHA-256.

thumbprint: Optional[str]

Signing certificate thumbprint.

class FirewallInput:
enabled: bool

Enabled.

operating_system: Literal["windows", "mac"]

Operating System.

One of the following:
"windows"
"mac"
class IntuneInput:
compliance_status: Literal["compliant", "noncompliant", "unknown", 3 more]

Compliance Status.

One of the following:
"compliant"
"noncompliant"
"unknown"
"notapplicable"
"ingraceperiod"
"error"
connection_id: str

Posture Integration ID.

class KolideInput:
connection_id: str

Posture Integration ID.

auth_state: Optional[List[Literal["Good", "Notified", "Will Block", "Blocked"]]]

The set of Kolide device authentication states that pass the posture check. Device must match one of the specified states.

One of the following:
"Good"
"Notified"
"Will Block"
"Blocked"
count_operator: Optional[Literal["<", "<=", ">", 2 more]]

Count Operator.

One of the following:
"<"
"<="
">"
">="
"=="
issue_count: Optional[str]

The Number of Issues.

class OSVersionInput:
operating_system: Literal["windows"]

Operating System.

operator: Literal["<", "<=", ">", 2 more]

Operator.

One of the following:
"<"
"<="
">"
">="
"=="
version: str

Version of OS.

os_distro_name: Optional[str]

Operating System Distribution Name (linux only).

os_distro_revision: Optional[str]

Version of OS Distribution (linux only).

os_version_extra: Optional[str]

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

class SentineloneInput:
operating_system: Literal["windows", "linux", "mac"]

Operating system.

One of the following:
"windows"
"linux"
"mac"
path: str

File path.

sha256: Optional[str]

SHA-256.

thumbprint: Optional[str]

Signing certificate thumbprint.

class SentineloneS2sInput:
connection_id: str

Posture Integration ID.

active_threats: Optional[float]

The Number of active threats.

infected: Optional[bool]

Whether device is infected.

is_active: Optional[bool]

Whether device is active.

network_status: Optional[Literal["connected", "disconnected", "disconnecting", "connecting"]]

Network status of device.

One of the following:
"connected"
"disconnected"
"disconnecting"
"connecting"
operational_state: Optional[Literal["na", "partially_disabled", "auto_fully_disabled", 4 more]]

Agent operational state.

One of the following:
"na"
"partially_disabled"
"auto_fully_disabled"
"fully_disabled"
"auto_partially_disabled"
"disabled_error"
"db_corruption"
operator: Optional[Literal["<", "<=", ">", 2 more]]

Operator.

One of the following:
"<"
"<="
">"
">="
"=="
class TaniumInput:
connection_id: str

Posture Integration ID.

eid_last_seen: Optional[str]

For more details on eid last seen, refer to the Tanium documentation.

operator: Optional[Literal["<", "<=", ">", 2 more]]

Operator to evaluate risk_level or eid_last_seen.

One of the following:
"<"
"<="
">"
">="
"=="
risk_level: Optional[Literal["low", "medium", "high", "critical"]]

For more details on risk level, refer to the Tanium documentation.

One of the following:
"low"
"medium"
"high"
"critical"
score_operator: Optional[Literal["<", "<=", ">", 2 more]]

Score Operator.

One of the following:
"<"
"<="
">"
">="
"=="
total_score: Optional[float]

For more details on total score, refer to the Tanium documentation.

class UniqueClientIDInput:
id: str

List ID.

operating_system: Literal["android", "ios", "chromeos"]

Operating System.

One of the following:
"android"
"ios"
"chromeos"
class WorkspaceOneInput:
compliance_status: Literal["compliant", "noncompliant", "unknown"]

Compliance Status.

One of the following:
"compliant"
"noncompliant"
"unknown"
connection_id: str

Posture Integration ID.

class PostureDeleteResponse:
id: Optional[str]

API UUID.

maxLength36

DevicesPostureIntegrations

List your device posture integrations
zero_trust.devices.posture.integrations.list(IntegrationListParams**kwargs) -> SyncSinglePage[Integration]
GET/accounts/{account_id}/devices/posture/integration
Get device posture integration details
zero_trust.devices.posture.integrations.get(strintegration_id, IntegrationGetParams**kwargs) -> Integration
GET/accounts/{account_id}/devices/posture/integration/{integration_id}
Create a device posture integration
zero_trust.devices.posture.integrations.create(IntegrationCreateParams**kwargs) -> Integration
POST/accounts/{account_id}/devices/posture/integration
Update a device posture integration
zero_trust.devices.posture.integrations.edit(strintegration_id, IntegrationEditParams**kwargs) -> Integration
PATCH/accounts/{account_id}/devices/posture/integration/{integration_id}
Delete a device posture integration
zero_trust.devices.posture.integrations.delete(strintegration_id, IntegrationDeleteParams**kwargs) -> IntegrationDeleteResponse
DELETE/accounts/{account_id}/devices/posture/integration/{integration_id}
ModelsExpand Collapse
class Integration:
id: Optional[str]

API UUID.

maxLength36
config: Optional[Config]

The configuration object containing third-party integration information.

api_url: str

The Workspace One API URL provided in the Workspace One Admin Dashboard.

auth_url: str

The Workspace One Authorization URL depending on your region.

client_id: str

The Workspace One client ID provided in the Workspace One Admin Dashboard.

interval: Optional[str]

The interval between each posture check with the third-party API. Use m for minutes (e.g. 5m) and h for hours (e.g. 12h).

name: Optional[str]

The name of the device posture integration.

type: Optional[Literal["workspace_one", "crowdstrike_s2s", "uptycs", 5 more]]

The type of device posture integration.

One of the following:
"workspace_one"
"crowdstrike_s2s"
"uptycs"
"intune"
"kolide"
"tanium_s2s"
"sentinelone_s2s"
"custom_s2s"
Union[str, object, null]
One of the following:
str
object

DevicesRevoke

Revoke devices (deprecated)
Deprecated
zero_trust.devices.revoke.create(RevokeCreateParams**kwargs) -> RevokeCreateResponse
POST/accounts/{account_id}/devices/revoke
ModelsExpand Collapse
Union[str, object, null]
One of the following:
str
object

DevicesSettings

Get device settings for a Zero Trust account
zero_trust.devices.settings.get(SettingGetParams**kwargs) -> DeviceSettings
GET/accounts/{account_id}/devices/settings
Update device settings for a Zero Trust account
zero_trust.devices.settings.update(SettingUpdateParams**kwargs) -> DeviceSettings
PUT/accounts/{account_id}/devices/settings
Patch device settings for a Zero Trust account
zero_trust.devices.settings.edit(SettingEditParams**kwargs) -> DeviceSettings
PATCH/accounts/{account_id}/devices/settings
Reset device settings for a Zero Trust account with defaults. This turns off all proxying.
zero_trust.devices.settings.delete(SettingDeleteParams**kwargs) -> DeviceSettings
DELETE/accounts/{account_id}/devices/settings
ModelsExpand Collapse
class DeviceSettings:
disable_for_time: Optional[float]

Sets the time limit, in seconds, that a user can use an override code to bypass WARP.

external_emergency_signal_enabled: Optional[bool]

Controls whether the external emergency disconnect feature is enabled.

external_emergency_signal_fingerprint: Optional[str]

The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server’s identity. The device will ignore any response if the server’s certificate fingerprint does not exactly match this value.

external_emergency_signal_interval: Optional[str]

The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., “5m”, “2m30s”, “1h”). Minimum 30 seconds.

external_emergency_signal_url: Optional[str]

The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host.

gateway_proxy_enabled: Optional[bool]

Enable gateway proxy filtering on TCP.

gateway_udp_proxy_enabled: Optional[bool]

Enable gateway proxy filtering on UDP.

root_certificate_installation_enabled: Optional[bool]

Enable installation of cloudflare managed root certificate.

use_zt_virtual_ip: Optional[bool]

Enable using CGNAT virtual IPv4.

DevicesUnrevoke

Unrevoke devices (deprecated)
Deprecated
zero_trust.devices.unrevoke.create(UnrevokeCreateParams**kwargs) -> UnrevokeCreateResponse
POST/accounts/{account_id}/devices/unrevoke
ModelsExpand Collapse
Union[str, object, null]
One of the following:
str
object

DevicesOverride Codes

Get override codes (deprecated)
Deprecated
zero_trust.devices.override_codes.list(strdevice_id, OverrideCodeListParams**kwargs) -> SyncSinglePage[object]
GET/accounts/{account_id}/devices/{device_id}/override_codes
Get override codes
zero_trust.devices.override_codes.get(strregistration_id, OverrideCodeGetParams**kwargs) -> OverrideCodeGetResponse
GET/accounts/{account_id}/devices/registrations/{registration_id}/override_codes
ModelsExpand Collapse
class OverrideCodeGetResponse:
disable_for_time: Optional[Dict[str, str]]