Skip to content
Cloudflare API
Start here
API Reference
Zero Trust

Risk Scoring

Get risk event/score information for a specific user
zero_trust.risk_scoring.get(struser_id, RiskScoringGetParams**kwargs) -> RiskScoringGetResponse
GET/accounts/{account_id}/zt_risk_scoring/{user_id}
Clear the risk score for a particular user
zero_trust.risk_scoring.reset(struser_id, RiskScoringResetParams**kwargs) -> object
POST/accounts/{account_id}/zt_risk_scoring/{user_id}/reset
ModelsExpand Collapse
class RiskScoringGetResponse:
email: str
events: List[Event]
id: str
name: str
risk_level: Literal["low", "medium", "high"]
One of the following:
"low"
"medium"
"high"
timestamp: datetime
formatdate-time
event_details: Optional[object]
name: str
last_reset_time: Optional[datetime]
formatdate-time
risk_level: Optional[Literal["low", "medium", "high"]]
One of the following:
"low"
"medium"
"high"

Risk ScoringBehaviours

Get all behaviors and associated configuration
zero_trust.risk_scoring.behaviours.get(BehaviourGetParams**kwargs) -> BehaviourGetResponse
GET/accounts/{account_id}/zt_risk_scoring/behaviors
Update configuration for risk behaviors
zero_trust.risk_scoring.behaviours.update(BehaviourUpdateParams**kwargs) -> BehaviourUpdateResponse
PUT/accounts/{account_id}/zt_risk_scoring/behaviors
ModelsExpand Collapse
class BehaviourGetResponse:
behaviors: Dict[str, Behaviors]
description: str
enabled: bool
name: str
risk_level: Literal["low", "medium", "high"]
One of the following:
"low"
"medium"
"high"
class BehaviourUpdateResponse:
behaviors: Dict[str, Behaviors]
enabled: bool
risk_level: Literal["low", "medium", "high"]
One of the following:
"low"
"medium"
"high"

Risk ScoringSummary

Get risk score info for all users in the account
zero_trust.risk_scoring.summary.get(SummaryGetParams**kwargs) -> SummaryGetResponse
GET/accounts/{account_id}/zt_risk_scoring/summary
ModelsExpand Collapse
class SummaryGetResponse:
users: List[User]
email: str
event_count: int
minimum0
last_event: datetime
formatdate-time
max_risk_level: Literal["low", "medium", "high"]
One of the following:
"low"
"medium"
"high"
name: str
user_id: str
formatuuid

Risk ScoringIntegrations

List all risk score integrations for the account.
zero_trust.risk_scoring.integrations.list(IntegrationListParams**kwargs) -> SyncSinglePage[IntegrationListResponse]
GET/accounts/{account_id}/zt_risk_scoring/integrations
Get risk score integration by id.
zero_trust.risk_scoring.integrations.get(strintegration_id, IntegrationGetParams**kwargs) -> IntegrationGetResponse
GET/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}
Create new risk score integration.
zero_trust.risk_scoring.integrations.create(IntegrationCreateParams**kwargs) -> IntegrationCreateResponse
POST/accounts/{account_id}/zt_risk_scoring/integrations
Update a risk score integration.
zero_trust.risk_scoring.integrations.update(strintegration_id, IntegrationUpdateParams**kwargs) -> IntegrationUpdateResponse
PUT/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}
Delete a risk score integration.
zero_trust.risk_scoring.integrations.delete(strintegration_id, IntegrationDeleteParams**kwargs) -> object
DELETE/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}
ModelsExpand Collapse
class IntegrationListResponse:
id: str

The id of the integration, a UUIDv4.

formatuuid
account_tag: str

The Cloudflare account tag.

active: bool

Whether this integration is enabled and should export changes in risk score.

created_at: datetime

When the integration was created in RFC3339 format.

formatdate-time
integration_type: Literal["Okta"]
reference_id: str

A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID.

tenant_url: str

The base URL for the tenant. E.g. "https://tenant.okta.com".

well_known_url: str

The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1.

class IntegrationGetResponse:
id: str

The id of the integration, a UUIDv4.

formatuuid
account_tag: str

The Cloudflare account tag.

active: bool

Whether this integration is enabled and should export changes in risk score.

created_at: datetime

When the integration was created in RFC3339 format.

formatdate-time
integration_type: Literal["Okta"]
reference_id: str

A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID.

tenant_url: str

The base URL for the tenant. E.g. "https://tenant.okta.com".

well_known_url: str

The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1.

class IntegrationCreateResponse:
id: str

The id of the integration, a UUIDv4.

formatuuid
account_tag: str

The Cloudflare account tag.

active: bool

Whether this integration is enabled and should export changes in risk score.

created_at: datetime

When the integration was created in RFC3339 format.

formatdate-time
integration_type: Literal["Okta"]
reference_id: str

A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID.

tenant_url: str

The base URL for the tenant. E.g. "https://tenant.okta.com".

well_known_url: str

The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1.

class IntegrationUpdateResponse:
id: str

The id of the integration, a UUIDv4.

formatuuid
account_tag: str

The Cloudflare account tag.

active: bool

Whether this integration is enabled and should export changes in risk score.

created_at: datetime

When the integration was created in RFC3339 format.

formatdate-time
integration_type: Literal["Okta"]
reference_id: str

A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID.

tenant_url: str

The base URL for the tenant. E.g. "https://tenant.okta.com".

well_known_url: str

The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1.

Risk ScoringIntegrationsReferences

Get risk score integration by reference id.
zero_trust.risk_scoring.integrations.references.get(strreference_id, ReferenceGetParams**kwargs) -> ReferenceGetResponse
GET/accounts/{account_id}/zt_risk_scoring/integrations/reference_id/{reference_id}
ModelsExpand Collapse
class ReferenceGetResponse:
id: str

The id of the integration, a UUIDv4.

formatuuid
account_tag: str

The Cloudflare account tag.

active: bool

Whether this integration is enabled and should export changes in risk score.

created_at: datetime

When the integration was created in RFC3339 format.

formatdate-time
integration_type: Literal["Okta"]
reference_id: str

A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID.

tenant_url: str

The base URL for the tenant. E.g. "https://tenant.okta.com".

well_known_url: str

The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1.