API Reference

Zero Trust

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Gateway

Get Zero Trust account information

zero_trust.gateway.list(GatewayListParams**kwargs) -> GatewayListResponse

GET/accounts/{account_id}/gateway

Create Zero Trust account

zero_trust.gateway.create(GatewayCreateParams**kwargs) -> GatewayCreateResponse

POST/accounts/{account_id}/gateway

ModelsExpand Collapse

class GatewayListResponse: …

id: Optional[str]

Specify the Cloudflare account ID.

maxLength32

gateway_tag: Optional[str]

Specify the gateway internal ID.

maxLength32

provider_name: Optional[str]

Specify the provider name (usually Cloudflare).

class GatewayCreateResponse: …

id: Optional[str]

Specify the Cloudflare account ID.

maxLength32

gateway_tag: Optional[str]

Specify the gateway internal ID.

maxLength32

provider_name: Optional[str]

Specify the provider name (usually Cloudflare).

GatewayAudit SSH Settings

Get Zero Trust SSH settings

zero_trust.gateway.audit_ssh_settings.get(AuditSSHSettingGetParams**kwargs) -> GatewaySettings

GET/accounts/{account_id}/gateway/audit_ssh_settings

Update Zero Trust SSH settings

zero_trust.gateway.audit_ssh_settings.update(AuditSSHSettingUpdateParams**kwargs) -> GatewaySettings

PUT/accounts/{account_id}/gateway/audit_ssh_settings

Rotate Zero Trust SSH account seed

zero_trust.gateway.audit_ssh_settings.rotate_seed(AuditSSHSettingRotateSeedParams**kwargs) -> GatewaySettings

POST/accounts/{account_id}/gateway/audit_ssh_settings/rotate_seed

ModelsExpand Collapse

class GatewaySettings: …

created_at: Optional[datetime]

formatdate-time

public_key: Optional[str]

Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging.

seed_id: Optional[str]

Identify the seed ID.

maxLength36

updated_at: Optional[datetime]

formatdate-time

GatewayCategories

List categories

zero_trust.gateway.categories.list(CategoryListParams**kwargs) -> SyncSinglePage[Category]

GET/accounts/{account_id}/gateway/categories

ModelsExpand Collapse

class Category: …

id: Optional[int]

Identify this category. Only one category per ID.

beta: Optional[bool]

Indicate whether the category is in beta and subject to change.

class_: Optional[Literal["free", "premium", "blocked", 2 more]]

Specify which account types can create policies for this category. blocked Blocks unconditionally for all accounts. removalPending Allows removal from policies but disables addition. noBlock Prevents blocking.

One of the following:

"free"

"premium"

"blocked"

"removalPending"

"noBlock"

description: Optional[str]

Provide a short summary of domains in the category.

name: Optional[str]

Specify the category name.

subcategories: Optional[List[Subcategory]]

Provide all subcategories for this category.

id: Optional[int]

Identify this category. Only one category per ID.

beta: Optional[bool]

Indicate whether the category is in beta and subject to change.

class_: Optional[Literal["free", "premium", "blocked", 2 more]]

Specify which account types can create policies for this category. blocked Blocks unconditionally for all accounts. removalPending Allows removal from policies but disables addition. noBlock Prevents blocking.

One of the following:

"free"

"premium"

"blocked"

"removalPending"

"noBlock"

description: Optional[str]

Provide a short summary of domains in the category.

name: Optional[str]

Specify the category name.

GatewayApp Types

List application and application type mappings

zero_trust.gateway.app_types.list(AppTypeListParams**kwargs) -> SyncSinglePage[AppType]

GET/accounts/{account_id}/gateway/app_types

ModelsExpand Collapse

AppType

One of the following:

class ZeroTrustGatewayApplication: …

id: Optional[int]

Identify this application. Only one application per ID.

application_type_id: Optional[int]

Identify the type of this application. Multiple applications can share the same type. Refers to the id of a returned application type.

created_at: Optional[datetime]

formatdate-time

name: Optional[str]

Specify the name of the application or application type.

class ZeroTrustGatewayApplicationType: …

id: Optional[int]

Identify the type of this application. Multiple applications can share the same type. Refers to the id of a returned application type.

created_at: Optional[datetime]

formatdate-time

description: Optional[str]

Provide a short summary of applications with this type.

name: Optional[str]

Specify the name of the application or application type.

GatewayConfigurations

Get Zero Trust account configuration

zero_trust.gateway.configurations.get(ConfigurationGetParams**kwargs) -> ConfigurationGetResponse

GET/accounts/{account_id}/gateway/configuration

Update Zero Trust account configuration

zero_trust.gateway.configurations.update(ConfigurationUpdateParams**kwargs) -> ConfigurationUpdateResponse

PUT/accounts/{account_id}/gateway/configuration

Patch Zero Trust account configuration

zero_trust.gateway.configurations.edit(ConfigurationEditParams**kwargs) -> ConfigurationEditResponse

PATCH/accounts/{account_id}/gateway/configuration

ModelsExpand Collapse

class ActivityLogSettings: …

Specify activity log settings.

enabled: Optional[bool]

Specify whether to log activity.

class AntiVirusSettings: …

Specify anti-virus settings.

enabled_download_phase: Optional[bool]

Specify whether to enable anti-virus scanning on downloads.

enabled_upload_phase: Optional[bool]

Specify whether to enable anti-virus scanning on uploads.

fail_closed: Optional[bool]

Specify whether to block requests for unscannable files.

notification_settings: Optional[NotificationSettings]

Configure the message the user's device shows during an antivirus scan.

class BlockPageSettings: …

Specify block page layout settings.

background_color: Optional[str]

Specify the block page background color in #rrggbb format when the mode is customized_block_page.

enabled: Optional[bool]

Specify whether to enable the custom block page.

footer_text: Optional[str]

Specify the block page footer text when the mode is customized_block_page.

header_text: Optional[str]

Specify the block page header text when the mode is customized_block_page.

include_context: Optional[bool]

Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri.

logo_path: Optional[str]

Specify the full URL to the logo file when the mode is customized_block_page.

mailto_address: Optional[str]

Specify the admin email for users to contact when the mode is customized_block_page.

mailto_subject: Optional[str]

Specify the subject line for emails created from the block page when the mode is customized_block_page.

mode: Optional[Literal["", "customized_block_page", "redirect_uri"]]

Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.

One of the following:

""

"customized_block_page"

"redirect_uri"

name: Optional[str]

Specify the block page title when the mode is customized_block_page.

read_only: Optional[bool]

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account: Optional[str]

Indicate the account tag of the account that shared this setting.

suppress_footer: Optional[bool]

Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page.

target_uri: Optional[str]

Specify the URI to redirect users to when the mode is redirect_uri.

formaturi

version: Optional[int]

Indicate the version number of the setting.

class BodyScanningSettings: …

Specify the DLP inspection mode.

inspection_mode: Optional[Literal["deep", "shallow"]]

Specify the inspection mode as either deep or shallow.

One of the following:

"deep"

"shallow"

class BrowserIsolationSettings: …

Specify Clientless Browser Isolation settings.

non_identity_enabled: Optional[bool]

Specify whether to enable non-identity onramp support for Browser Isolation.

url_browser_isolation_enabled: Optional[bool]

Specify whether to enable Clientless Browser Isolation.

class CustomCertificateSettings: …

Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.

enabled: Optional[bool]

Specify whether to enable a custom certificate authority for signing Gateway traffic.

id: Optional[str]

Specify the UUID of the certificate (ID from MTLS certificate store).

binding_status: Optional[str]

Indicate the internal certificate status.

updated_at: Optional[datetime]

formatdate-time

class ExtendedEmailMatching: …

Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.

enabled: Optional[bool]

Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.

read_only: Optional[bool]

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account: Optional[str]

Indicate the account tag of the account that shared this setting.

version: Optional[int]

Indicate the version number of the setting.

class FipsSettings: …

Specify FIPS settings.

tls: Optional[bool]

Enforce cipher suites and TLS versions compliant with FIPS 140-2.

class GatewayConfigurationSettings: …

Specify account settings.

activity_log: Optional[ActivityLogSettings]

Specify activity log settings.

antivirus: Optional[AntiVirusSettings]

Specify anti-virus settings.

block_page: Optional[BlockPageSettings]

Specify block page layout settings.

body_scanning: Optional[BodyScanningSettings]

Specify the DLP inspection mode.

browser_isolation: Optional[BrowserIsolationSettings]

Specify Clientless Browser Isolation settings.

certificate: Optional[Certificate]

Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.

id: str

Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA.

Deprecatedcustom_certificate: Optional[CustomCertificateSettings]

Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.

extended_email_matching: Optional[ExtendedEmailMatching]

Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.

fips: Optional[FipsSettings]

Specify FIPS settings.

host_selector: Optional[HostSelector]

Enable host selection in egress policies.

enabled: Optional[bool]

Specify whether to enable filtering via hosts for egress policies.

inspection: Optional[Inspection]

Define the proxy inspection mode.

mode: Optional[Literal["static", "dynamic"]]

Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic.

One of the following:

"static"

"dynamic"

protocol_detection: Optional[ProtocolDetection]

Specify whether to detect protocols from the initial bytes of client traffic.

sandbox: Optional[Sandbox]

Specify whether to enable the sandbox.

enabled: Optional[bool]

Specify whether to enable the sandbox.

fallback_action: Optional[Literal["allow", "block"]]

Specify the action to take when the system cannot scan the file.

One of the following:

"allow"

"block"

tls_decrypt: Optional[TLSSettings]

Specify whether to inspect encrypted HTTP traffic.

class NotificationSettings: …

Configure the message the user's device shows during an antivirus scan.

enabled: Optional[bool]

Specify whether to enable notifications.

include_context: Optional[bool]

Specify whether to include context information as query parameters.

msg: Optional[str]

Specify the message to show in the notification.

support_url: Optional[str]

Specify a URL that directs users to more information. If unset, the notification opens a block page.

class ProtocolDetection: …

Specify whether to detect protocols from the initial bytes of client traffic.

enabled: Optional[bool]

Specify whether to detect protocols from the initial bytes of client traffic.

class TLSSettings: …

Specify whether to inspect encrypted HTTP traffic.

enabled: Optional[bool]

Specify whether to inspect encrypted HTTP traffic.

class ConfigurationGetResponse: …

Specify account settings.

created_at: Optional[datetime]

formatdate-time

settings: Optional[GatewayConfigurationSettings]

Specify account settings.

updated_at: Optional[datetime]

formatdate-time

class ConfigurationUpdateResponse: …

Specify account settings.

created_at: Optional[datetime]

formatdate-time

settings: Optional[GatewayConfigurationSettings]

Specify account settings.

updated_at: Optional[datetime]

formatdate-time

class ConfigurationEditResponse: …

Specify account settings.

created_at: Optional[datetime]

formatdate-time

settings: Optional[GatewayConfigurationSettings]

Specify account settings.

updated_at: Optional[datetime]

formatdate-time

GatewayConfigurationsCustom Certificate

Get Zero Trust certificate configuration

Deprecated

zero_trust.gateway.configurations.custom_certificate.get(CustomCertificateGetParams**kwargs) -> CustomCertificateSettings

GET/accounts/{account_id}/gateway/configuration/custom_certificate

GatewayLists

List Zero Trust lists

zero_trust.gateway.lists.list(ListListParams**kwargs) -> SyncSinglePage[GatewayList]

GET/accounts/{account_id}/gateway/lists

Get Zero Trust list details

zero_trust.gateway.lists.get(strlist_id, ListGetParams**kwargs) -> GatewayList

GET/accounts/{account_id}/gateway/lists/{list_id}

Create Zero Trust list

zero_trust.gateway.lists.create(ListCreateParams**kwargs) -> ListCreateResponse

POST/accounts/{account_id}/gateway/lists

Update Zero Trust list

zero_trust.gateway.lists.update(strlist_id, ListUpdateParams**kwargs) -> GatewayList

PUT/accounts/{account_id}/gateway/lists/{list_id}

Patch Zero Trust list.

zero_trust.gateway.lists.edit(strlist_id, ListEditParams**kwargs) -> GatewayList

PATCH/accounts/{account_id}/gateway/lists/{list_id}

Delete Zero Trust list

zero_trust.gateway.lists.delete(strlist_id, ListDeleteParams**kwargs) -> object

DELETE/accounts/{account_id}/gateway/lists/{list_id}

ModelsExpand Collapse

class GatewayItem: …

created_at: Optional[datetime]

formatdate-time

description: Optional[str]

Provide the list item description (optional).

minimum0

value: Optional[str]

Specify the item value.

class GatewayList: …

id: Optional[str]

Identify the API resource with a UUID.

maxLength36

count: Optional[float]

Indicate the number of items in the list.

created_at: Optional[datetime]

formatdate-time

description: Optional[str]

Provide the list description.

items: Optional[List[GatewayItem]]

Provide the list items.

created_at: Optional[datetime]

formatdate-time

description: Optional[str]

Provide the list item description (optional).

minimum0

value: Optional[str]

Specify the item value.

name: Optional[str]

Specify the list name.

type: Optional[Literal["SERIAL", "URL", "DOMAIN", 5 more]]

Specify the list type.

One of the following:

"SERIAL"

"URL"

"DOMAIN"

"EMAIL"

"IP"

"CATEGORY"

"LOCATION"

"DEVICE"

updated_at: Optional[datetime]

formatdate-time

class ListCreateResponse: …

id: Optional[str]

Identify the API resource with a UUID.

maxLength36

created_at: Optional[datetime]

formatdate-time

description: Optional[str]

Provide the list description.

items: Optional[List[GatewayItem]]

Provide the list items.

created_at: Optional[datetime]

formatdate-time

description: Optional[str]

Provide the list item description (optional).

minimum0

value: Optional[str]

Specify the item value.

name: Optional[str]

Specify the list name.

type: Optional[Literal["SERIAL", "URL", "DOMAIN", 5 more]]

Specify the list type.

One of the following:

"SERIAL"

"URL"

"DOMAIN"

"EMAIL"

"IP"

"CATEGORY"

"LOCATION"

"DEVICE"

updated_at: Optional[datetime]

formatdate-time

GatewayListsItems

Get Zero Trust list items

zero_trust.gateway.lists.items.list(strlist_id, ItemListParams**kwargs) -> SyncSinglePage[ItemListResponse]

GET/accounts/{account_id}/gateway/lists/{list_id}/items

ModelsExpand Collapse

List[GatewayItem]

Provide the list items.

created_at: Optional[datetime]

formatdate-time

description: Optional[str]

Provide the list item description (optional).

minimum0

value: Optional[str]

Specify the item value.

GatewayLocations

List Zero Trust Gateway locations

zero_trust.gateway.locations.list(LocationListParams**kwargs) -> SyncSinglePage[Location]

GET/accounts/{account_id}/gateway/locations

Get Zero Trust Gateway location details

zero_trust.gateway.locations.get(strlocation_id, LocationGetParams**kwargs) -> Location

GET/accounts/{account_id}/gateway/locations/{location_id}

Create a Zero Trust Gateway location

zero_trust.gateway.locations.create(LocationCreateParams**kwargs) -> Location

POST/accounts/{account_id}/gateway/locations

Update a Zero Trust Gateway location

zero_trust.gateway.locations.update(strlocation_id, LocationUpdateParams**kwargs) -> Location

PUT/accounts/{account_id}/gateway/locations/{location_id}

Delete a Zero Trust Gateway location

zero_trust.gateway.locations.delete(strlocation_id, LocationDeleteParams**kwargs) -> object

DELETE/accounts/{account_id}/gateway/locations/{location_id}

ModelsExpand Collapse

class DOHEndpoint: …

enabled: Optional[bool]

Indicate whether the DOH endpoint is enabled for this location.

networks: Optional[List[IPNetwork]]

Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

network: str

Specify the IP address or IP CIDR.

require_token: Optional[bool]

Specify whether the DOH endpoint requires user identity authentication.

class DOTEndpoint: …

enabled: Optional[bool]

Indicate whether the DOT endpoint is enabled for this location.

networks: Optional[List[IPNetwork]]

Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

network: str

Specify the IP address or IP CIDR.

class Endpoint: …

Configure the destination endpoints for this location.

doh: DOHEndpoint

dot: DOTEndpoint

ipv4: IPV4Endpoint

ipv6: IPV6Endpoint

class IPNetwork: …

network: str

Specify the IP address or IP CIDR.

class IPV4Endpoint: …

enabled: Optional[bool]

Indicate whether the IPv4 endpoint is enabled for this location.

class IPV6Endpoint: …

enabled: Optional[bool]

Indicate whether the IPV6 endpoint is enabled for this location.

networks: Optional[List[IPV6Network]]

Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

network: str

Specify the IPv6 address or IPv6 CIDR.

class IPV6Network: …

network: str

Specify the IPv6 address or IPv6 CIDR.

class Location: …

id: Optional[str]

client_default: Optional[bool]

Indicate whether this location is the default location.

created_at: Optional[datetime]

formatdate-time

dns_destination_ips_id: Optional[str]

Indicate the identifier of the pair of IPv4 addresses assigned to this location.

dns_destination_ipv6_block_id: Optional[str]

Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block.

doh_subdomain: Optional[str]

Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value.

ecs_support: Optional[bool]

Indicate whether the location must resolve EDNS queries.

endpoints: Optional[Endpoint]

Configure the destination endpoints for this location.

ip: Optional[str]

Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location.

ipv4_destination: Optional[str]

Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

ipv4_destination_backup: Optional[str]

Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

name: Optional[str]

Specify the location name.

networks: Optional[List[Network]]

Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location.

network: str

Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24.

updated_at: Optional[datetime]

formatdate-time

GatewayLogging

Get logging settings for the Zero Trust account

zero_trust.gateway.logging.get(LoggingGetParams**kwargs) -> LoggingSetting

GET/accounts/{account_id}/gateway/logging

Update Zero Trust account logging settings

zero_trust.gateway.logging.update(LoggingUpdateParams**kwargs) -> LoggingSetting

PUT/accounts/{account_id}/gateway/logging

ModelsExpand Collapse

class LoggingSetting: …

redact_pii: Optional[bool]

Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent).

settings_by_rule_type: Optional[SettingsByRuleType]

Configure logging settings for each rule type.

dns: Optional[SettingsByRuleTypeDNS]

Configure logging settings for DNS firewall.

log_all: Optional[bool]

Specify whether to log all requests to this service.

log_blocks: Optional[bool]

Specify whether to log only blocking requests to this service.

http: Optional[SettingsByRuleTypeHTTP]

Configure logging settings for HTTP/HTTPS firewall.

log_all: Optional[bool]

Specify whether to log all requests to this service.

log_blocks: Optional[bool]

Specify whether to log only blocking requests to this service.

l4: Optional[SettingsByRuleTypeL4]

Configure logging settings for Network firewall.

log_all: Optional[bool]

Specify whether to log all requests to this service.

log_blocks: Optional[bool]

Specify whether to log only blocking requests to this service.

GatewayProxy Endpoints

List proxy endpoints

zero_trust.gateway.proxy_endpoints.list(ProxyEndpointListParams**kwargs) -> SyncSinglePage[ProxyEndpoint]

GET/accounts/{account_id}/gateway/proxy_endpoints

Get a proxy endpoint

zero_trust.gateway.proxy_endpoints.get(strproxy_endpoint_id, ProxyEndpointGetParams**kwargs) -> ProxyEndpoint

GET/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}

Create a proxy endpoint

zero_trust.gateway.proxy_endpoints.create(ProxyEndpointCreateParams**kwargs) -> ProxyEndpoint

POST/accounts/{account_id}/gateway/proxy_endpoints

Update a proxy endpoint

zero_trust.gateway.proxy_endpoints.edit(strproxy_endpoint_id, ProxyEndpointEditParams**kwargs) -> ProxyEndpoint

PATCH/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}

Delete a proxy endpoint

zero_trust.gateway.proxy_endpoints.delete(strproxy_endpoint_id, ProxyEndpointDeleteParams**kwargs) -> object

DELETE/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}

ModelsExpand Collapse

str

Specify an IPv4 or IPv6 CIDR. Limit IPv6 to a maximum of /109 and IPv4 to a maximum of /25.

ProxyEndpoint

One of the following:

class ZeroTrustGatewayProxyEndpointIP: …

ips: List[GatewayIPs]

Specify the list of CIDRs to restrict ingress connections.

name: str

Specify the name of the proxy endpoint.

id: Optional[str]

created_at: Optional[datetime]

formatdate-time

kind: Optional[Literal["ip"]]

The proxy endpoint kind

subdomain: Optional[str]

Specify the subdomain to use as the destination in the proxy client.

updated_at: Optional[datetime]

formatdate-time

class ZeroTrustGatewayProxyEndpointIdentity: …

kind: Literal["identity"]

The proxy endpoint kind

name: str

Specify the name of the proxy endpoint.

id: Optional[str]

created_at: Optional[datetime]

formatdate-time

subdomain: Optional[str]

Specify the subdomain to use as the destination in the proxy client.

updated_at: Optional[datetime]

formatdate-time

GatewayRules

List Zero Trust Gateway rules

zero_trust.gateway.rules.list(RuleListParams**kwargs) -> SyncSinglePage[GatewayRule]

GET/accounts/{account_id}/gateway/rules

Get Zero Trust Gateway rule details.

zero_trust.gateway.rules.get(strrule_id, RuleGetParams**kwargs) -> GatewayRule

GET/accounts/{account_id}/gateway/rules/{rule_id}

Create a Zero Trust Gateway rule

zero_trust.gateway.rules.create(RuleCreateParams**kwargs) -> GatewayRule

POST/accounts/{account_id}/gateway/rules

Update a Zero Trust Gateway rule

zero_trust.gateway.rules.update(strrule_id, RuleUpdateParams**kwargs) -> GatewayRule

PUT/accounts/{account_id}/gateway/rules/{rule_id}

Delete a Zero Trust Gateway rule

zero_trust.gateway.rules.delete(strrule_id, RuleDeleteParams**kwargs) -> object

DELETE/accounts/{account_id}/gateway/rules/{rule_id}

List Zero Trust Gateway rules inherited from the parent account

zero_trust.gateway.rules.list_tenant(RuleListTenantParams**kwargs) -> SyncSinglePage[GatewayRule]

GET/accounts/{account_id}/gateway/rules/tenant

Reset the expiration of a Zero Trust Gateway Rule

zero_trust.gateway.rules.reset_expiration(strrule_id, RuleResetExpirationParams**kwargs) -> GatewayRule

POST/accounts/{account_id}/gateway/rules/{rule_id}/reset_expiration

ModelsExpand Collapse

class DNSResolverSettingsV4: …

ip: str

Specify the IPv4 address of the upstream resolver.

port: Optional[int]

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network: Optional[bool]

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id: Optional[str]

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

class DNSResolverSettingsV6: …

ip: str

Specify the IPv6 address of the upstream resolver.

port: Optional[int]

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network: Optional[bool]

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id: Optional[str]

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

Literal["http", "dns", "l4", 2 more]

Specify the protocol or layer to use.

One of the following:

"http"

"dns"

"l4"

"egress"

"dns_resolver"

class GatewayRule: …

action: Literal["on", "off", "allow", 13 more]

Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true.

One of the following:

"on"

"off"

"allow"

"block"

"scan"

"noscan"

"safesearch"

"ytrestricted"

"isolate"

"noisolate"

"override"

"l4_override"

"egress"

"resolve"

"quarantine"

"redirect"

enabled: bool

Specify whether the rule is enabled.

filters: List[GatewayFilter]

Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.

One of the following:

"http"

"dns"

"l4"

"egress"

"dns_resolver"

name: str

Specify the rule name.

precedence: int

Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to Order of enforcement to manage precedence via Terraform.

traffic: str

Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

id: Optional[str]

Identify the API resource with a UUID.

maxLength36

created_at: Optional[datetime]

formatdate-time

deleted_at: Optional[datetime]

Indicate the date of deletion, if any.

formatdate-time

description: Optional[str]

Specify the rule description.

device_posture: Optional[str]

Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

expiration: Optional[Expiration]

Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's schedule configuration, if any. This does not apply to HTTP or network policies. Settable only for dns rules.

expires_at: datetime

Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time.

formatdate-time

duration: Optional[int]

Defines the default duration a policy active in minutes. Must set in order to use the reset_expiration endpoint on this rule.

minimum5

expired: Optional[bool]

Indicates whether the policy is expired.

identity: Optional[str]

Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

read_only: Optional[bool]

Indicate that this rule is shared via the Orgs API and read only.

rule_settings: Optional[RuleSetting]

Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.

schedule: Optional[Schedule]

Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.

sharable: Optional[bool]

Indicate that this rule is sharable via the Orgs API.

source_account: Optional[str]

Provide the account tag of the account that created the rule.

updated_at: Optional[datetime]

formatdate-time

version: Optional[int]

Indicate the version number of the rule(read-only).

warning_status: Optional[str]

Indicate a warning for a misconfigured rule, if any.

class RuleSetting: …

Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.

add_headers: Optional[Dict[str, List[str]]]

Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for http rules with the action set to allow.

allow_child_bypass: Optional[bool]

Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.

audit_ssh: Optional[AuditSSH]

Define the settings for the Audit SSH action. Settable only for l4 rules with audit_ssh action.

command_logging: Optional[bool]

Enable SSH command logging.

biso_admin_controls: Optional[BISOAdminControls]

Configure browser isolation behavior. Settable only for http rules with the action set to isolate.

copy: Optional[Literal["enabled", "disabled", "remote_only"]]

Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2".

One of the following:

"enabled"

"disabled"

"remote_only"

dcp: Optional[bool]

Set to false to enable copy-pasting. Only applies when version == "v1".

dd: Optional[bool]

Set to false to enable downloading. Only applies when version == "v1".

dk: Optional[bool]

Set to false to enable keyboard usage. Only applies when version == "v1".

download: Optional[Literal["enabled", "disabled", "remote_only"]]

Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2".

One of the following:

"enabled"

"disabled"

"remote_only"

dp: Optional[bool]

Set to false to enable printing. Only applies when version == "v1".

du: Optional[bool]

Set to false to enable uploading. Only applies when version == "v1".

keyboard: Optional[Literal["enabled", "disabled"]]

Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2".

One of the following:

"enabled"

"disabled"

paste: Optional[Literal["enabled", "disabled", "remote_only"]]

Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2".

One of the following:

"enabled"

"disabled"

"remote_only"

printing: Optional[Literal["enabled", "disabled"]]

Configure print behavior. Default, Printing is enabled. Applies only when version == "v2".

One of the following:

"enabled"

"disabled"

upload: Optional[Literal["enabled", "disabled"]]

Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2".

One of the following:

"enabled"

"disabled"

version: Optional[Literal["v1", "v2"]]

Indicate which version of the browser isolation controls should apply.

One of the following:

"v1"

"v2"

block_page: Optional[BlockPage]

Configure custom block page settings. If missing or null, use the account settings. Settable only for http rules with the action set to block.

target_uri: str

Specify the URI to which the user is redirected.

formaturi

include_context: Optional[bool]

Specify whether to pass the context information as query parameters.

block_page_enabled: Optional[bool]

Enable the custom block page. Settable only for dns rules with action block.

block_reason: Optional[str]

Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for dns, l4, and http rules when the action set to block.

bypass_parent_rule: Optional[bool]

Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules.

check_session: Optional[CheckSession]

Configure session check behavior. Settable only for l4 and http rules with the action set to allow.

duration: Optional[str]

Sets the required session freshness threshold. The API returns a normalized version of this value.

enforce: Optional[bool]

Enable session enforcement.

dns_resolvers: Optional[DNSResolvers]

Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

ipv4: Optional[List[DNSResolverSettingsV4]]

ip: str

Specify the IPv4 address of the upstream resolver.

port: Optional[int]

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network: Optional[bool]

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id: Optional[str]

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

ipv6: Optional[List[DNSResolverSettingsV6]]

ip: str

Specify the IPv6 address of the upstream resolver.

port: Optional[int]

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network: Optional[bool]

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id: Optional[str]

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

egress: Optional[Egress]

Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for egress rules.

ipv4: Optional[str]

Specify the IPv4 address to use for egress.

ipv4_fallback: Optional[str]

Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs.

ipv6: Optional[str]

Specify the IPv6 range to use for egress.

forensic_copy: Optional[ForensicCopy]

Configure whether a copy of the HTTP request will be sent to storage when the rule matches.

enabled: Optional[bool]

Enable sending the copy to storage.

ignore_cname_category_matches: Optional[bool]

Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for dns and dns_resolver rules.

insecure_disable_dnssec_validation: Optional[bool]

Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for dns rules.

ip_categories: Optional[bool]

Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for dns and dns_resolver rules.

ip_indicator_feeds: Optional[bool]

Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for dns and dns_resolver rules.

l4override: Optional[L4override]

Send matching traffic to the supplied destination IP address and port. Settable only for l4 rules with the action set to l4_override.

ip: Optional[str]

Defines the IPv4 or IPv6 address.

port: Optional[int]

Defines a port number to use for TCP/UDP overrides.

notification_settings: Optional[NotificationSettings]

Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to block.

enabled: Optional[bool]

Enable notification.

include_context: Optional[bool]

Indicates whether to pass the context information as query parameters.

msg: Optional[str]

Customize the message shown in the notification.

support_url: Optional[str]

Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.

override_host: Optional[str]

Defines a hostname for override, for the matching DNS queries. Settable only for dns rules with the action set to override.

override_ips: Optional[List[str]]

Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for dns rules with the action set to override.

payload_log: Optional[PayloadLog]

Configure DLP payload logging. Settable only for http rules.

enabled: Optional[bool]

Enable DLP payload logging for this rule.

quarantine: Optional[Quarantine]

Configure settings that apply to quarantine rules. Settable only for http rules.

file_types: Optional[List[Literal["exe", "pdf", "doc", 10 more]]]

Specify the types of files to sandbox.

One of the following:

"exe"

"pdf"

"doc"

"docm"

"docx"

"rtf"

"ppt"

"pptx"

"xls"

"xlsm"

"xlsx"

"zip"

"rar"

redirect: Optional[Redirect]

Apply settings to redirect rules. Settable only for http rules with the action set to redirect.

target_uri: str

Specify the URI to which the user is redirected.

formaturi

include_context: Optional[bool]

Specify whether to pass the context information as query parameters.

preserve_path_and_query: Optional[bool]

Specify whether to append the path and query parameters from the original request to target_uri.

resolve_dns_internally: Optional[ResolveDNSInternally]

Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

fallback: Optional[Literal["none", "public_dns"]]

Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries.

One of the following:

"none"

"public_dns"

view_id: Optional[str]

Specify the internal DNS view identifier to pass to the internal DNS service.

resolve_dns_through_cloudflare: Optional[bool]

Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

untrusted_cert: Optional[UntrustedCERT]

Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for http rules with the action set to allow.

action: Optional[Literal["pass_through", "block", "error"]]

Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526.

One of the following:

"pass_through"

"block"

"error"

class Schedule: …

Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.

fri: Optional[str]

Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

mon: Optional[str]

Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

sat: Optional[str]

Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

sun: Optional[str]

Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

thu: Optional[str]

Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

time_zone: Optional[str]

Specify the time zone for rule evaluation. When a valid time zone city name is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location.

tue: Optional[str]

Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

wed: Optional[str]

Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

GatewayCertificates

List Zero Trust certificates

zero_trust.gateway.certificates.list(CertificateListParams**kwargs) -> SyncSinglePage[CertificateListResponse]

GET/accounts/{account_id}/gateway/certificates

Get Zero Trust certificate details

zero_trust.gateway.certificates.get(strcertificate_id, CertificateGetParams**kwargs) -> CertificateGetResponse

GET/accounts/{account_id}/gateway/certificates/{certificate_id}

Create Zero Trust certificate

zero_trust.gateway.certificates.create(CertificateCreateParams**kwargs) -> CertificateCreateResponse

POST/accounts/{account_id}/gateway/certificates

Delete Zero Trust certificate

zero_trust.gateway.certificates.delete(strcertificate_id, CertificateDeleteParams**kwargs) -> CertificateDeleteResponse

DELETE/accounts/{account_id}/gateway/certificates/{certificate_id}

Activate a Zero Trust certificate

zero_trust.gateway.certificates.activate(strcertificate_id, CertificateActivateParams**kwargs) -> CertificateActivateResponse

POST/accounts/{account_id}/gateway/certificates/{certificate_id}/activate

Deactivate a Zero Trust certificate

zero_trust.gateway.certificates.deactivate(strcertificate_id, CertificateDeactivateParams**kwargs) -> CertificateDeactivateResponse

POST/accounts/{account_id}/gateway/certificates/{certificate_id}/deactivate

ModelsExpand Collapse

class CertificateListResponse: …

id: Optional[str]

Identify the certificate with a UUID.

maxLength36

binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]

Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state.

One of the following:

"pending_deployment"

"available"

"pending_deletion"

"inactive"

certificate: Optional[str]

Provide the CA certificate (read-only).

created_at: Optional[datetime]

formatdate-time

expires_on: Optional[datetime]

formatdate-time

fingerprint: Optional[str]

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: Optional[bool]

Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).

issuer_org: Optional[str]

Indicate the organization that issued the certificate (read-only).

issuer_raw: Optional[str]

Provide the entire issuer field of the certificate (read-only).

type: Optional[Literal["custom", "gateway_managed"]]

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

One of the following:

"custom"

"gateway_managed"

updated_at: Optional[datetime]

formatdate-time

uploaded_on: Optional[datetime]

formatdate-time

class CertificateGetResponse: …

id: Optional[str]

Identify the certificate with a UUID.

maxLength36

binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]

Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state.

One of the following:

"pending_deployment"

"available"

"pending_deletion"

"inactive"

certificate: Optional[str]

Provide the CA certificate (read-only).

created_at: Optional[datetime]

formatdate-time

expires_on: Optional[datetime]

formatdate-time

fingerprint: Optional[str]

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: Optional[bool]

Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).

issuer_org: Optional[str]

Indicate the organization that issued the certificate (read-only).

issuer_raw: Optional[str]

Provide the entire issuer field of the certificate (read-only).

type: Optional[Literal["custom", "gateway_managed"]]

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

One of the following:

"custom"

"gateway_managed"

updated_at: Optional[datetime]

formatdate-time

uploaded_on: Optional[datetime]

formatdate-time

class CertificateCreateResponse: …

id: Optional[str]

Identify the certificate with a UUID.

maxLength36

binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]

Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state.

One of the following:

"pending_deployment"

"available"

"pending_deletion"

"inactive"

certificate: Optional[str]

Provide the CA certificate (read-only).

created_at: Optional[datetime]

formatdate-time

expires_on: Optional[datetime]

formatdate-time

fingerprint: Optional[str]

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: Optional[bool]

Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).

issuer_org: Optional[str]

Indicate the organization that issued the certificate (read-only).

issuer_raw: Optional[str]

Provide the entire issuer field of the certificate (read-only).

type: Optional[Literal["custom", "gateway_managed"]]

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

One of the following:

"custom"

"gateway_managed"

updated_at: Optional[datetime]

formatdate-time

uploaded_on: Optional[datetime]

formatdate-time

class CertificateDeleteResponse: …

id: Optional[str]

Identify the certificate with a UUID.

maxLength36

binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]

Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state.

One of the following:

"pending_deployment"

"available"

"pending_deletion"

"inactive"

certificate: Optional[str]

Provide the CA certificate (read-only).

created_at: Optional[datetime]

formatdate-time

expires_on: Optional[datetime]

formatdate-time

fingerprint: Optional[str]

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: Optional[bool]

Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).

issuer_org: Optional[str]

Indicate the organization that issued the certificate (read-only).

issuer_raw: Optional[str]

Provide the entire issuer field of the certificate (read-only).

type: Optional[Literal["custom", "gateway_managed"]]

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

One of the following:

"custom"

"gateway_managed"

updated_at: Optional[datetime]

formatdate-time

uploaded_on: Optional[datetime]

formatdate-time

class CertificateActivateResponse: …

id: Optional[str]

Identify the certificate with a UUID.

maxLength36

binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]

Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state.

One of the following:

"pending_deployment"

"available"

"pending_deletion"

"inactive"

certificate: Optional[str]

Provide the CA certificate (read-only).

created_at: Optional[datetime]

formatdate-time

expires_on: Optional[datetime]

formatdate-time

fingerprint: Optional[str]

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: Optional[bool]

Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).

issuer_org: Optional[str]

Indicate the organization that issued the certificate (read-only).

issuer_raw: Optional[str]

Provide the entire issuer field of the certificate (read-only).

type: Optional[Literal["custom", "gateway_managed"]]

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

One of the following:

"custom"

"gateway_managed"

updated_at: Optional[datetime]

formatdate-time

uploaded_on: Optional[datetime]

formatdate-time

class CertificateDeactivateResponse: …

id: Optional[str]

Identify the certificate with a UUID.

maxLength36

binding_status: Optional[Literal["pending_deployment", "available", "pending_deletion", "inactive"]]

Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state.

One of the following:

"pending_deployment"

"available"

"pending_deletion"

"inactive"

certificate: Optional[str]

Provide the CA certificate (read-only).

created_at: Optional[datetime]

formatdate-time

expires_on: Optional[datetime]

formatdate-time

fingerprint: Optional[str]

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: Optional[bool]

Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).

issuer_org: Optional[str]

Indicate the organization that issued the certificate (read-only).

issuer_raw: Optional[str]

Provide the entire issuer field of the certificate (read-only).

type: Optional[Literal["custom", "gateway_managed"]]

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

One of the following:

"custom"

"gateway_managed"

updated_at: Optional[datetime]

formatdate-time

uploaded_on: Optional[datetime]

formatdate-time

GatewayPacfiles

List PAC files

zero_trust.gateway.pacfiles.list(PacfileListParams**kwargs) -> SyncSinglePage[PacfileListResponse]

GET/accounts/{account_id}/gateway/pacfiles

Get a PAC file

zero_trust.gateway.pacfiles.get(strpacfile_id, PacfileGetParams**kwargs) -> PacfileGetResponse

GET/accounts/{account_id}/gateway/pacfiles/{pacfile_id}

Create a PAC file

zero_trust.gateway.pacfiles.create(PacfileCreateParams**kwargs) -> PacfileCreateResponse

POST/accounts/{account_id}/gateway/pacfiles

Update a Zero Trust Gateway PAC file

zero_trust.gateway.pacfiles.update(strpacfile_id, PacfileUpdateParams**kwargs) -> PacfileUpdateResponse

PUT/accounts/{account_id}/gateway/pacfiles/{pacfile_id}

Delete a PAC file

zero_trust.gateway.pacfiles.delete(strpacfile_id, PacfileDeleteParams**kwargs) -> object

DELETE/accounts/{account_id}/gateway/pacfiles/{pacfile_id}

ModelsExpand Collapse

class PacfileListResponse: …

id: Optional[str]

created_at: Optional[datetime]

formatdate-time

description: Optional[str]

Detailed description of the PAC file.

name: Optional[str]

Name of the PAC file.

slug: Optional[str]

URL-friendly version of the PAC file name.

updated_at: Optional[datetime]

formatdate-time

url: Optional[str]

Unique URL to download the PAC file.

class PacfileGetResponse: …

id: Optional[str]

contents: Optional[str]

Actual contents of the PAC file

created_at: Optional[datetime]

formatdate-time

description: Optional[str]

Detailed description of the PAC file.

name: Optional[str]

Name of the PAC file.

slug: Optional[str]

URL-friendly version of the PAC file name.

updated_at: Optional[datetime]

formatdate-time

url: Optional[str]

Unique URL to download the PAC file.

class PacfileCreateResponse: …

id: Optional[str]

contents: Optional[str]

Actual contents of the PAC file

created_at: Optional[datetime]

formatdate-time

description: Optional[str]

Detailed description of the PAC file.

name: Optional[str]

Name of the PAC file.

slug: Optional[str]

URL-friendly version of the PAC file name.

updated_at: Optional[datetime]

formatdate-time

url: Optional[str]

Unique URL to download the PAC file.

class PacfileUpdateResponse: …

id: Optional[str]

contents: Optional[str]

Actual contents of the PAC file

created_at: Optional[datetime]

formatdate-time

description: Optional[str]

Detailed description of the PAC file.

name: Optional[str]

Name of the PAC file.

slug: Optional[str]

URL-friendly version of the PAC file name.

updated_at: Optional[datetime]

formatdate-time

url: Optional[str]

Unique URL to download the PAC file.