Skip to content
Cloudflare API
Start here
API Reference
Zero Trust
Organizations

Update your Zero Trust organization

zero_trust.organizations.update(OrganizationUpdateParams**kwargs) -> Organization
PUT/{accounts_or_zones}/{account_or_zone_id}/access/organizations

Updates the configuration for your Zero Trust organization.

Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Accepted Permissions (at least one required)
Access: Organizations, Identity Providers, and Groups Write
ParametersExpand Collapse
account_id: Optional[str]

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id: Optional[str]

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

allow_authenticate_via_warp: Optional[bool]

When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.

auth_domain: Optional[str]

The unique subdomain assigned to your Zero Trust organization.

auto_redirect_to_identity: Optional[bool]

When set to true, users skip the identity provider selection step during login.

custom_pages: Optional[CustomPages]
forbidden: Optional[str]

The uid of the custom page to use when a user is denied access after failing a non-identity rule.

identity_denied: Optional[str]

The uid of the custom page to use when a user is denied access.

deny_unmatched_requests: Optional[bool]

Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the deny_unmatched_requests_exempted_zone_names array.

deny_unmatched_requests_exempted_zone_names: Optional[SequenceNotStr[str]]

Contains zone names to exempt from the deny_unmatched_requests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.

is_ui_read_only: Optional[bool]

Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.

login_design: Optional[LoginDesignParam]
background_color: Optional[str]

The background color on your login page.

footer_text: Optional[str]

The text at the bottom of your login page.

header_text: Optional[str]

The text at the top of your login page.

logo_path: Optional[str]

The URL of the logo on your login page.

text_color: Optional[str]

The text color on your login page.

mfa_config: Optional[MfaConfig]

Configures multi-factor authentication (MFA) settings for an organization.

allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]

Lists the MFA methods that users can authenticate with.

One of the following:
"totp"
"biometrics"
"security_key"
session_duration: Optional[str]

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

mfa_required_for_all_apps: Optional[bool]

Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.

name: Optional[str]

The name of your Zero Trust organization.

session_duration: Optional[str]

The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

ui_read_only_toggle_reason: Optional[str]

A description of the reason why the UI read only field is being toggled.

user_seat_expiration_inactive_time: Optional[str]

The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

warp_auth_session_duration: Optional[str]

The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.

ReturnsExpand Collapse
class Organization:
allow_authenticate_via_warp: Optional[bool]

When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.

auth_domain: Optional[str]

The unique subdomain assigned to your Zero Trust organization.

auto_redirect_to_identity: Optional[bool]

When set to true, users skip the identity provider selection step during login.

custom_pages: Optional[CustomPages]
forbidden: Optional[str]

The uid of the custom page to use when a user is denied access after failing a non-identity rule.

identity_denied: Optional[str]

The uid of the custom page to use when a user is denied access.

deny_unmatched_requests: Optional[bool]

Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the deny_unmatched_requests_exempted_zone_names array.

deny_unmatched_requests_exempted_zone_names: Optional[List[str]]

Contains zone names to exempt from the deny_unmatched_requests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.

is_ui_read_only: Optional[bool]

Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.

login_design: Optional[LoginDesign]
background_color: Optional[str]

The background color on your login page.

footer_text: Optional[str]

The text at the bottom of your login page.

header_text: Optional[str]

The text at the top of your login page.

logo_path: Optional[str]

The URL of the logo on your login page.

text_color: Optional[str]

The text color on your login page.

mfa_config: Optional[MfaConfig]

Configures multi-factor authentication (MFA) settings for an organization.

allowed_authenticators: Optional[List[Literal["totp", "biometrics", "security_key"]]]

Lists the MFA methods that users can authenticate with.

One of the following:
"totp"
"biometrics"
"security_key"
session_duration: Optional[str]

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

mfa_required_for_all_apps: Optional[bool]

Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.

name: Optional[str]

The name of your Zero Trust organization.

session_duration: Optional[str]

The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

ui_read_only_toggle_reason: Optional[str]

A description of the reason why the UI read only field is being toggled.

user_seat_expiration_inactive_time: Optional[str]

The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

warp_auth_session_duration: Optional[str]

The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.

Update your Zero Trust organization

import os
from cloudflare import Cloudflare

client = Cloudflare(
    api_token=os.environ.get("CLOUDFLARE_API_TOKEN"),  # This is the default and can be omitted
)
organization = client.zero_trust.organizations.update(
    account_id="account_id",
)
print(organization.auto_redirect_to_identity)
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "allow_authenticate_via_warp": true,
    "auth_domain": "test.cloudflareaccess.com",
    "auto_redirect_to_identity": true,
    "created_at": "2014-01-01T05:20:00.12345Z",
    "custom_pages": {
      "forbidden": "699d98642c564d2e855e9661899b7252",
      "identity_denied": "699d98642c564d2e855e9661899b7252"
    },
    "deny_unmatched_requests": true,
    "deny_unmatched_requests_exempted_zone_names": [
      "example.com"
    ],
    "is_ui_read_only": true,
    "login_design": {
      "background_color": "#c5ed1b",
      "footer_text": "This is an example description.",
      "header_text": "This is an example description.",
      "logo_path": "https://example.com/logo.png",
      "text_color": "#c5ed1b"
    },
    "mfa_config": {
      "allowed_authenticators": [
        "totp",
        "biometrics",
        "security_key"
      ],
      "session_duration": "24h"
    },
    "mfa_required_for_all_apps": false,
    "name": "Widget Corps Internal Applications",
    "session_duration": "24h",
    "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI",
    "updated_at": "2014-01-01T05:20:00.12345Z",
    "user_seat_expiration_inactive_time": "730h",
    "warp_auth_session_duration": "24h"
  }
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "allow_authenticate_via_warp": true,
    "auth_domain": "test.cloudflareaccess.com",
    "auto_redirect_to_identity": true,
    "created_at": "2014-01-01T05:20:00.12345Z",
    "custom_pages": {
      "forbidden": "699d98642c564d2e855e9661899b7252",
      "identity_denied": "699d98642c564d2e855e9661899b7252"
    },
    "deny_unmatched_requests": true,
    "deny_unmatched_requests_exempted_zone_names": [
      "example.com"
    ],
    "is_ui_read_only": true,
    "login_design": {
      "background_color": "#c5ed1b",
      "footer_text": "This is an example description.",
      "header_text": "This is an example description.",
      "logo_path": "https://example.com/logo.png",
      "text_color": "#c5ed1b"
    },
    "mfa_config": {
      "allowed_authenticators": [
        "totp",
        "biometrics",
        "security_key"
      ],
      "session_duration": "24h"
    },
    "mfa_required_for_all_apps": false,
    "name": "Widget Corps Internal Applications",
    "session_duration": "24h",
    "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI",
    "updated_at": "2014-01-01T05:20:00.12345Z",
    "user_seat_expiration_inactive_time": "730h",
    "warp_auth_session_duration": "24h"
  }
}