Zero Trust

Zero TrustDevices

List devices (deprecated)

Deprecated

GET/accounts/{account_id}/devices

Get device (deprecated)

Deprecated

GET/accounts/{account_id}/devices/{device_id}

ModelsExpand Collapse

Device object { id, created, deleted, 17 more }

id: optional string

Registration ID. Equal to Device ID except for accounts which enabled multi-user mode.

maxLength36

created: optional string

When the device was created.

formatdate-time

deleted: optional boolean

True if the device was deleted.

device_type: optional "windows" or "mac" or "linux" or 3 more

One of the following:

"windows"

"mac"

"linux"

"android"

"ios"

"chromeos"

ip: optional string

IPv4 or IPv6 address.

key: optional string

The device’s public key.

last_seen: optional string

When the device last connected to Cloudflare services.

formatdate-time

mac_address: optional string

The device mac address.

manufacturer: optional string

The device manufacturer name.

model: optional string

The device model name.

The device name.

os_distro_name: optional string

The Linux distro name.

os_distro_revision: optional string

The Linux distro revision.

os_version: optional string

The operating system version.

os_version_extra: optional string

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

revoked_at: optional string

When the device was revoked.

formatdate-time

serial_number: optional string

The device serial number.

updated: optional string

When the device was updated.

formatdate-time

user: optional object { id, email, name }

id: optional string

UUID.

maxLength36

email: optional string

The contact email address of the user.

maxLength90

The enrolled device user’s name.

version: optional string

The WARP client version.

DeviceGetResponse object { id, account, created, 16 more }

id: optional string

Registration ID. Equal to Device ID except for accounts which enabled multi-user mode.

maxLength36

account: optional object { id, account_type, name }

Deprecatedid: optional string

Deprecatedaccount_type: optional string

The name of the enrolled account.

created: optional string

When the device was created.

formatdate-time

deleted: optional boolean

True if the device was deleted.

device_type: optional string

Deprecatedgateway_device_id: optional string

ip: optional string

IPv4 or IPv6 address.

key: optional string

The device’s public key.

key_type: optional string

Type of the key.

last_seen: optional string

When the device last connected to Cloudflare services.

formatdate-time

mac_address: optional string

The device mac address.

model: optional string

The device model name.

The device name.

os_version: optional string

The operating system version.

serial_number: optional string

The device serial number.

tunnel_type: optional string

Type of the tunnel connection used.

updated: optional string

When the device was updated.

formatdate-time

user: optional object { id, email, name }

id: optional string

UUID.

maxLength36

email: optional string

The contact email address of the user.

maxLength90

The enrolled device user’s name.

version: optional string

The WARP client version.

Zero TrustDevicesDevices

List devices

GET/accounts/{account_id}/devices/physical-devices

Get device

GET/accounts/{account_id}/devices/physical-devices/{device_id}

Delete device

DELETE/accounts/{account_id}/devices/physical-devices/{device_id}

Revoke device registrations

POST/accounts/{account_id}/devices/physical-devices/{device_id}/revoke

ModelsExpand Collapse

DeviceListResponse object { id, active_registrations, created_at, 16 more }

A WARP Device.

id: string

The unique ID of the device.

active_registrations: number

The number of active registrations for the device. Active registrations are those which haven’t been revoked or deleted.

created_at: string

The RFC3339 timestamp when the device was created.

last_seen_at: string

The RFC3339 timestamp when the device was last seen.

The name of the device.

updated_at: string

The RFC3339 timestamp when the device was last updated.

client_version: optional string

Version of the WARP client.

deleted_at: optional string

The RFC3339 timestamp when the device was deleted.

device_type: optional string

The device operating system.

hardware_id: optional string

A string that uniquely identifies the hardware or virtual machine (VM).

last_seen_registration: optional object { policy }

The last seen registration for the device.

policy: optional object { id, default, deleted, 2 more }

A summary of the device profile evaluated for the registration.

id: string

The ID of the device settings profile.

default: boolean

Whether the device settings profile is the default profile for the account.

deleted: boolean

Whether the device settings profile was deleted.

The name of the device settings profile.

updated_at: string

The RFC3339 timestamp of when the device settings profile last changed for the registration.

last_seen_user: optional object { id, email, name }

The last user to use the WARP device.

id: optional string

UUID.

maxLength36

email: optional string

The contact email address of the user.

maxLength90

The enrolled device user’s name.

mac_address: optional string

The device MAC address.

manufacturer: optional string

The device manufacturer.

model: optional string

The model name of the device.

os_version: optional string

The device operating system version number.

os_version_extra: optional string

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

Deprecatedpublic_ip: optional string

Deprecated: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/

serial_number: optional string

The device serial number.

DeviceGetResponse object { id, active_registrations, created_at, 16 more }

A WARP Device.

id: string

The unique ID of the device.

active_registrations: number

The number of active registrations for the device. Active registrations are those which haven’t been revoked or deleted.

created_at: string

The RFC3339 timestamp when the device was created.

last_seen_at: string

The RFC3339 timestamp when the device was last seen.

The name of the device.

updated_at: string

The RFC3339 timestamp when the device was last updated.

client_version: optional string

Version of the WARP client.

deleted_at: optional string

The RFC3339 timestamp when the device was deleted.

device_type: optional string

The device operating system.

hardware_id: optional string

A string that uniquely identifies the hardware or virtual machine (VM).

last_seen_registration: optional object { policy }

The last seen registration for the device.

policy: optional object { id, default, deleted, 2 more }

A summary of the device profile evaluated for the registration.

id: string

The ID of the device settings profile.

default: boolean

Whether the device settings profile is the default profile for the account.

deleted: boolean

Whether the device settings profile was deleted.

The name of the device settings profile.

updated_at: string

The RFC3339 timestamp of when the device settings profile last changed for the registration.

last_seen_user: optional object { id, email, name }

The last user to use the WARP device.

id: optional string

UUID.

maxLength36

email: optional string

The contact email address of the user.

maxLength90

The enrolled device user’s name.

mac_address: optional string

The device MAC address.

manufacturer: optional string

The device manufacturer.

model: optional string

The model name of the device.

os_version: optional string

The device operating system version number.

os_version_extra: optional string

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

Deprecatedpublic_ip: optional string

Deprecated: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/

serial_number: optional string

The device serial number.

DeviceDeleteResponse = unknown

DeviceRevokeResponse = unknown

Zero TrustDevicesResilience

Zero TrustDevicesResilienceGlobal WARP Override

Retrieve Global WARP override state

GET/accounts/{account_id}/devices/resilience/disconnect

Set Global WARP override state

POST/accounts/{account_id}/devices/resilience/disconnect

ModelsExpand Collapse

GlobalWARPOverrideGetResponse object { disconnect, timestamp }

disconnect: optional boolean

Disconnects all devices on the account using Global WARP override.

timestamp: optional string

When the Global WARP override state was updated.

formatdate-time

GlobalWARPOverrideCreateResponse object { disconnect, timestamp }

disconnect: optional boolean

Disconnects all devices on the account using Global WARP override.

timestamp: optional string

When the Global WARP override state was updated.

formatdate-time

Zero TrustDevicesRegistrations

List registrations

GET/accounts/{account_id}/devices/registrations

Get registration

GET/accounts/{account_id}/devices/registrations/{registration_id}

Delete registration

DELETE/accounts/{account_id}/devices/registrations/{registration_id}

Delete registrations

DELETE/accounts/{account_id}/devices/registrations

Revoke registrations

POST/accounts/{account_id}/devices/registrations/revoke

Unrevoke registrations

POST/accounts/{account_id}/devices/registrations/unrevoke

ModelsExpand Collapse

RegistrationListResponse object { id, created_at, device, 9 more }

A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device.

id: string

The ID of the registration.

created_at: string

The RFC3339 timestamp when the registration was created.

device: object { id, name, client_version }

Device details embedded inside of a registration.

id: string

The ID of the device.

The name of the device.

client_version: optional string

Version of the WARP client.

key: string

The public key used to connect to the Cloudflare network.

last_seen_at: string

The RFC3339 timestamp when the registration was last seen.

updated_at: string

The RFC3339 timestamp when the registration was last updated.

deleted_at: optional string

The RFC3339 timestamp when the registration was deleted.

key_type: optional string

The type of encryption key used by the WARP client for the active key. Currently ‘curve25519’ for WireGuard and ‘secp256r1’ for MASQUE.

policy: optional object { id, default, deleted, 2 more }

The device settings profile assigned to this registration.

id: string

The ID of the device settings profile.

default: boolean

Whether the device settings profile is the default profile for the account.

deleted: boolean

Whether the device settings profile was deleted.

The name of the device settings profile.

updated_at: string

The RFC3339 timestamp of when the device settings profile last changed for the registration.

revoked_at: optional string

The RFC3339 timestamp when the registration was revoked.

tunnel_type: optional string

Type of the tunnel - wireguard or masque.

user: optional object { id, email, name }

id: optional string

UUID.

maxLength36

email: optional string

The contact email address of the user.

maxLength90

The enrolled device user’s name.

RegistrationGetResponse object { id, created_at, device, 9 more }

A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device.

id: string

The ID of the registration.

created_at: string

The RFC3339 timestamp when the registration was created.

device: object { id, name, client_version }

Device details embedded inside of a registration.

id: string

The ID of the device.

The name of the device.

client_version: optional string

Version of the WARP client.

key: string

The public key used to connect to the Cloudflare network.

last_seen_at: string

The RFC3339 timestamp when the registration was last seen.

updated_at: string

The RFC3339 timestamp when the registration was last updated.

deleted_at: optional string

The RFC3339 timestamp when the registration was deleted.

key_type: optional string

The type of encryption key used by the WARP client for the active key. Currently ‘curve25519’ for WireGuard and ‘secp256r1’ for MASQUE.

policy: optional object { id, default, deleted, 2 more }

The device settings profile assigned to this registration.

id: string

The ID of the device settings profile.

default: boolean

Whether the device settings profile is the default profile for the account.

deleted: boolean

Whether the device settings profile was deleted.

The name of the device settings profile.

updated_at: string

The RFC3339 timestamp of when the device settings profile last changed for the registration.

revoked_at: optional string

The RFC3339 timestamp when the registration was revoked.

tunnel_type: optional string

Type of the tunnel - wireguard or masque.

user: optional object { id, email, name }

id: optional string

UUID.

maxLength36

email: optional string

The contact email address of the user.

maxLength90

The enrolled device user’s name.

RegistrationDeleteResponse = unknown

RegistrationBulkDeleteResponse = unknown

RegistrationRevokeResponse = unknown

RegistrationUnrevokeResponse = unknown

Zero TrustDevicesDEX Tests

List Device DEX tests

GET/accounts/{account_id}/dex/devices/dex_tests

Get Device DEX test

GET/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}

Create Device DEX test

POST/accounts/{account_id}/dex/devices/dex_tests

Update Device DEX test

PUT/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}

Delete Device DEX test

DELETE/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}

ModelsExpand Collapse

SchemaData object { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host: optional string

The desired endpoint to test.

kind: optional string

The type of test.

method: optional string

The HTTP request method type.

SchemaHTTP object { data, enabled, interval, 5 more }

data: SchemaData { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description: optional string

Additional details about the test.

target_policies: optional array of object { id, default, name }

Device settings profiles targeted by this test.

id: optional string

The id of the device settings profile.

default: optional boolean

Whether the profile is the account default.

The name of the device settings profile.

targeted: optional boolean

test_id: optional string

The unique identifier for the test.

maxLength32

DEXTestListResponse object { data, enabled, interval, 5 more }

data: object { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host: string

The desired endpoint to test.

kind: "http" or "traceroute"

The type of test.

One of the following:

"http"

"traceroute"

method: optional "GET"

The HTTP request method type.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description: optional string

Additional details about the test.

target_policies: optional array of object { id, default, name }

DEX rules targeted by this test

id: string

API Resource UUID tag.

maxLength36

default: optional boolean

Whether the DEX rule is the account default

The name of the DEX rule

targeted: optional boolean

test_id: optional string

The unique identifier for the test.

maxLength32

DEXTestGetResponse object { data, enabled, interval, 5 more }

data: object { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host: string

The desired endpoint to test.

kind: "http" or "traceroute"

The type of test.

One of the following:

"http"

"traceroute"

method: optional "GET"

The HTTP request method type.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description: optional string

Additional details about the test.

target_policies: optional array of object { id, default, name }

DEX rules targeted by this test

id: string

API Resource UUID tag.

maxLength36

default: optional boolean

Whether the DEX rule is the account default

The name of the DEX rule

targeted: optional boolean

test_id: optional string

The unique identifier for the test.

maxLength32

DEXTestCreateResponse object { data, enabled, interval, 5 more }

data: object { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host: string

The desired endpoint to test.

kind: "http" or "traceroute"

The type of test.

One of the following:

"http"

"traceroute"

method: optional "GET"

The HTTP request method type.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description: optional string

Additional details about the test.

target_policies: optional array of object { id, default, name }

DEX rules targeted by this test

id: string

API Resource UUID tag.

maxLength36

default: optional boolean

Whether the DEX rule is the account default

The name of the DEX rule

targeted: optional boolean

test_id: optional string

The unique identifier for the test.

maxLength32

DEXTestUpdateResponse object { data, enabled, interval, 5 more }

data: object { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host: string

The desired endpoint to test.

kind: "http" or "traceroute"

The type of test.

One of the following:

"http"

"traceroute"

method: optional "GET"

The HTTP request method type.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description: optional string

Additional details about the test.

target_policies: optional array of object { id, default, name }

DEX rules targeted by this test

id: string

API Resource UUID tag.

maxLength36

default: optional boolean

Whether the DEX rule is the account default

The name of the DEX rule

targeted: optional boolean

test_id: optional string

The unique identifier for the test.

maxLength32

DEXTestDeleteResponse object { dex_tests }

dex_tests: optional array of object { data, enabled, interval, 5 more }

data: object { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

host: string

The desired endpoint to test.

kind: "http" or "traceroute"

The type of test.

One of the following:

"http"

"traceroute"

method: optional "GET"

The HTTP request method type.

enabled: boolean

Determines whether or not the test is active.

interval: string

How often the test will run.

The name of the DEX test. Must be unique.

description: optional string

Additional details about the test.

target_policies: optional array of object { id, default, name }

DEX rules targeted by this test

id: string

API Resource UUID tag.

maxLength36

default: optional boolean

Whether the DEX rule is the account default

The name of the DEX rule

targeted: optional boolean

test_id: optional string

The unique identifier for the test.

maxLength32

Zero TrustDevicesIP Profiles

List IP profiles

GET/accounts/{account_id}/devices/ip-profiles

Get IP profile

GET/accounts/{account_id}/devices/ip-profiles/{profile_id}

Create IP profile

POST/accounts/{account_id}/devices/ip-profiles

Update IP profile

PATCH/accounts/{account_id}/devices/ip-profiles/{profile_id}

Delete IP profile

DELETE/accounts/{account_id}/devices/ip-profiles/{profile_id}

ModelsExpand Collapse

IPProfile object { id, created_at, description, 6 more }

id: string

The ID of the Device IP profile.

created_at: string

The RFC3339Nano timestamp when the Device IP profile was created.

description: string

An optional description of the Device IP profile.

enabled: boolean

Whether the Device IP profile is enabled.

match: string

The wirefilter expression to match registrations. Available values: “identity.name”, “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.saml_attributes”.

maxLength10000

A user-friendly name for the Device IP profile.

precedence: number

The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field.

subnet_id: string

The ID of the Subnet.

updated_at: string

The RFC3339Nano timestamp when the Device IP profile was last updated.

IPProfileDeleteResponse object { id }

id: optional string

ID of the deleted Device IP profile.

Zero TrustDevicesNetworks

List your device managed networks

GET/accounts/{account_id}/devices/networks

Get device managed network details

GET/accounts/{account_id}/devices/networks/{network_id}

Create a device managed network

POST/accounts/{account_id}/devices/networks

Update a device managed network

PUT/accounts/{account_id}/devices/networks/{network_id}

Delete a device managed network

DELETE/accounts/{account_id}/devices/networks/{network_id}

ModelsExpand Collapse

DeviceNetwork object { config, name, network_id, type }

config: optional object { tls_sockaddr, sha256 }

The configuration object containing information for the WARP client to detect the managed network.

tls_sockaddr: string

A network address of the form “host:port” that the WARP client will use to detect the presence of a TLS host.

sha256: optional string

The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate.

The name of the device managed network. This name must be unique.

network_id: optional string

API UUID.

maxLength36

type: optional "tls"

The type of device managed network.

Zero TrustDevicesFleet Status

Get the live status of a latest device

GET/accounts/{account_id}/dex/devices/{device_id}/fleet-status/live

ModelsExpand Collapse

FleetStatusGetResponse object { colo, deviceId, mode, 36 more }

colo: string

Cloudflare colo

deviceId: string

Device identifier (UUID v4)

mode: string

The mode under which the WARP client is run

platform: string

Operating system

status: string

Network status

timestamp: string

Timestamp in ISO format

version: string

WARP client version

alwaysOn: optional boolean

batteryCharging: optional boolean

batteryCycles: optional number

formatint64

batteryPct: optional number

formatfloat

connectionType: optional string

cpuPct: optional number

formatfloat

cpuPctByApp: optional array of array of object { cpu_pct, name }

cpu_pct: optional number

formatfloat

deviceIpv4: optional object { address, asn, aso, 3 more }

address: optional string

asn: optional number

aso: optional string

location: optional object { city, country_iso, state_iso, zip }

city: optional string

country_iso: optional string

state_iso: optional string

zip: optional string

netmask: optional string

version: optional string

deviceIpv6: optional object { address, asn, aso, 3 more }

address: optional string

asn: optional number

aso: optional string

location: optional object { city, country_iso, state_iso, zip }

city: optional string

country_iso: optional string

state_iso: optional string

zip: optional string

netmask: optional string

version: optional string

deviceName: optional string

Device identifier (human readable)

diskReadBps: optional number

formatint64

diskUsagePct: optional number

formatfloat

diskWriteBps: optional number

formatint64

dohSubdomain: optional string

estimatedLossPct: optional number

formatfloat

firewallEnabled: optional boolean

gatewayIpv4: optional object { address, asn, aso, 3 more }

address: optional string

asn: optional number

aso: optional string

location: optional object { city, country_iso, state_iso, zip }

city: optional string

country_iso: optional string

state_iso: optional string

zip: optional string

netmask: optional string

version: optional string

gatewayIpv6: optional object { address, asn, aso, 3 more }

address: optional string

asn: optional number

aso: optional string

location: optional object { city, country_iso, state_iso, zip }

city: optional string

country_iso: optional string

state_iso: optional string

zip: optional string

netmask: optional string

version: optional string

handshakeLatencyMs: optional number

formatint64

ispIpv4: optional object { address, asn, aso, 3 more }

address: optional string

asn: optional number

aso: optional string

location: optional object { city, country_iso, state_iso, zip }

city: optional string

country_iso: optional string

state_iso: optional string

zip: optional string

netmask: optional string

version: optional string

ispIpv6: optional object { address, asn, aso, 3 more }

address: optional string

asn: optional number

aso: optional string

location: optional object { city, country_iso, state_iso, zip }

city: optional string

country_iso: optional string

state_iso: optional string

zip: optional string

netmask: optional string

version: optional string

metal: optional string

networkRcvdBps: optional number

formatint64

networkSentBps: optional number

formatint64

networkSsid: optional string

personEmail: optional string

User contact email address

ramAvailableKb: optional number

formatint64

ramUsedPct: optional number

formatfloat

ramUsedPctByApp: optional array of array of object { name, ram_used_pct }

ram_used_pct: optional number

formatfloat

registrationId: optional string

Device registration identifier (UUID v4). On multi-user devices, this uniquely identifies a user’s registration on the device.

switchLocked: optional boolean

wifiStrengthDbm: optional number

formatint64

Zero TrustDevicesPolicies

ModelsExpand Collapse

DevicePolicyCertificates object { enabled }

enabled: boolean

The current status of the device policy certificate provisioning feature for WARP clients.

FallbackDomain object { suffix, description, dns_server }

suffix: string

The domain suffix to match when resolving locally.

description: optional string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server: optional array of string

A list of IP addresses to handle domain resolution.

FallbackDomainPolicy = array of FallbackDomain { suffix, description, dns_server }

suffix: string

The domain suffix to match when resolving locally.

description: optional string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server: optional array of string

A list of IP addresses to handle domain resolution.

SettingsPolicy object { allow_mode_switch, allow_updates, allowed_to_leave, 24 more }

allow_mode_switch: optional boolean

Whether to allow the user to switch WARP between modes.

allow_updates: optional boolean

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: optional boolean

Whether to allow devices to leave the organization.

auto_connect: optional number

The amount of time in seconds to reconnect after having been disabled.

captive_portal: optional number

Turn on the captive portal after the specified amount of time.

default: optional boolean

Whether the policy is the default policy for an account.

description: optional string

A description of the policy.

maxLength500

disable_auto_fallback: optional boolean

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: optional boolean

Whether the policy will be applied to matching devices.

List of routes excluded in the WARP client’s tunnel.

One of the following:

TeamsDevicesExcludeSplitTunnelWithAddress object { address, description }

address: string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesExcludeSplitTunnelWithHost object { host, description }

host: string

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

exclude_office_ips: optional boolean

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains: optional array of FallbackDomain { suffix, description, dns_server }

suffix: string

The domain suffix to match when resolving locally.

description: optional string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server: optional array of string

A list of IP addresses to handle domain resolution.

gateway_unique_id: optional string

include: optional array of SplitTunnelInclude

List of routes included in the WARP client’s tunnel.

One of the following:

TeamsDevicesIncludeSplitTunnelWithAddress object { address, description }

address: string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesIncludeSplitTunnelWithHost object { host, description }

host: string

The domain name to include in the tunnel. If host is present, address must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

lan_allow_minutes: optional number

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size: optional number

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

match: optional string

The wirefilter expression to match devices. Available values: “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.service_token_uuid”, “identity.saml_attributes”, “network”, “os.name”, “os.version”.

maxLength500

The name of the device settings profile.

maxLength100

policy_id: optional string

maxLength36

precedence: optional number

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

register_interface_ip_with_dns: optional boolean

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: optional boolean

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: optional object { mode, port }

mode: optional string

The mode to run the WARP client under.

port: optional number

The port number when used with proxy mode.

support_url: optional string

The URL to launch when the Send Feedback button is clicked.

switch_locked: optional boolean

Whether to allow the user to turn off the WARP switch and disconnect the client.

target_tests: optional array of object { id, name }

id: optional string

The id of the DEX test targeting this policy.

The name of the DEX test targeting this policy.

tunnel_protocol: optional string

Determines which tunnel protocol to use.

SplitTunnelExclude = object { address, description } or object { host, description }

One of the following:

TeamsDevicesExcludeSplitTunnelWithAddress object { address, description }

address: string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesExcludeSplitTunnelWithHost object { host, description }

host: string

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

SplitTunnelInclude = object { address, description } or object { host, description }

One of the following:

TeamsDevicesIncludeSplitTunnelWithAddress object { address, description }

address: string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesIncludeSplitTunnelWithHost object { host, description }

host: string

The domain name to include in the tunnel. If host is present, address must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

Zero TrustDevicesPoliciesDefault

Get the default device settings profile

GET/accounts/{account_id}/devices/policy

Update the default device settings profile

PATCH/accounts/{account_id}/devices/policy

ModelsExpand Collapse

DefaultGetResponse object { allow_mode_switch, allow_updates, allowed_to_leave, 17 more }

allow_mode_switch: optional boolean

Whether to allow the user to switch WARP between modes.

allow_updates: optional boolean

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: optional boolean

Whether to allow devices to leave the organization.

auto_connect: optional number

The amount of time in seconds to reconnect after having been disabled.

captive_portal: optional number

Turn on the captive portal after the specified amount of time.

default: optional boolean

Whether the policy will be applied to matching devices.

disable_auto_fallback: optional boolean

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: optional boolean

Whether the policy will be applied to matching devices.

List of routes excluded in the WARP client’s tunnel.

One of the following:

TeamsDevicesExcludeSplitTunnelWithAddress object { address, description }

address: string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesExcludeSplitTunnelWithHost object { host, description }

host: string

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

exclude_office_ips: optional boolean

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains: optional array of FallbackDomain { suffix, description, dns_server }

suffix: string

The domain suffix to match when resolving locally.

description: optional string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server: optional array of string

A list of IP addresses to handle domain resolution.

gateway_unique_id: optional string

include: optional array of SplitTunnelInclude

List of routes included in the WARP client’s tunnel.

One of the following:

TeamsDevicesIncludeSplitTunnelWithAddress object { address, description }

address: string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesIncludeSplitTunnelWithHost object { host, description }

host: string

The domain name to include in the tunnel. If host is present, address must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

policy_id: optional string

maxLength36

register_interface_ip_with_dns: optional boolean

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: optional boolean

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: optional object { mode, port }

mode: optional string

The mode to run the WARP client under.

port: optional number

The port number when used with proxy mode.

support_url: optional string

The URL to launch when the Send Feedback button is clicked.

switch_locked: optional boolean

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol: optional string

Determines which tunnel protocol to use.

DefaultEditResponse object { allow_mode_switch, allow_updates, allowed_to_leave, 17 more }

allow_mode_switch: optional boolean

Whether to allow the user to switch WARP between modes.

allow_updates: optional boolean

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: optional boolean

Whether to allow devices to leave the organization.

auto_connect: optional number

The amount of time in seconds to reconnect after having been disabled.

captive_portal: optional number

Turn on the captive portal after the specified amount of time.

default: optional boolean

Whether the policy will be applied to matching devices.

disable_auto_fallback: optional boolean

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: optional boolean

Whether the policy will be applied to matching devices.

List of routes excluded in the WARP client’s tunnel.

One of the following:

TeamsDevicesExcludeSplitTunnelWithAddress object { address, description }

address: string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesExcludeSplitTunnelWithHost object { host, description }

host: string

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

exclude_office_ips: optional boolean

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains: optional array of FallbackDomain { suffix, description, dns_server }

suffix: string

The domain suffix to match when resolving locally.

description: optional string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server: optional array of string

A list of IP addresses to handle domain resolution.

gateway_unique_id: optional string

include: optional array of SplitTunnelInclude

List of routes included in the WARP client’s tunnel.

One of the following:

TeamsDevicesIncludeSplitTunnelWithAddress object { address, description }

address: string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesIncludeSplitTunnelWithHost object { host, description }

host: string

The domain name to include in the tunnel. If host is present, address must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

policy_id: optional string

maxLength36

register_interface_ip_with_dns: optional boolean

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: optional boolean

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: optional object { mode, port }

mode: optional string

The mode to run the WARP client under.

port: optional number

The port number when used with proxy mode.

support_url: optional string

The URL to launch when the Send Feedback button is clicked.

switch_locked: optional boolean

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol: optional string

Determines which tunnel protocol to use.

Zero TrustDevicesPoliciesDefaultExcludes

Get the Split Tunnel exclude list

GET/accounts/{account_id}/devices/policy/exclude

Set the Split Tunnel exclude list

PUT/accounts/{account_id}/devices/policy/exclude

Zero TrustDevicesPoliciesDefaultIncludes

Get the Split Tunnel include list

GET/accounts/{account_id}/devices/policy/include

Set the Split Tunnel include list

PUT/accounts/{account_id}/devices/policy/include

Zero TrustDevicesPoliciesDefaultFallback Domains

Get your Local Domain Fallback list

GET/accounts/{account_id}/devices/policy/fallback_domains

Set your Local Domain Fallback list

PUT/accounts/{account_id}/devices/policy/fallback_domains

Zero TrustDevicesPoliciesDefaultCertificates

Get device certificate provisioning status

GET/zones/{zone_id}/devices/policy/certificates

Update device certificate provisioning status

PATCH/zones/{zone_id}/devices/policy/certificates

Zero TrustDevicesPoliciesCustom

List device settings profiles

GET/accounts/{account_id}/devices/policies

Get device settings profile by ID

GET/accounts/{account_id}/devices/policy/{policy_id}

Create a device settings profile

POST/accounts/{account_id}/devices/policy

Update a device settings profile

PATCH/accounts/{account_id}/devices/policy/{policy_id}

Delete a device settings profile

DELETE/accounts/{account_id}/devices/policy/{policy_id}

Zero TrustDevicesPoliciesCustomExcludes

Get the Split Tunnel exclude list for a device settings profile

GET/accounts/{account_id}/devices/policy/{policy_id}/exclude

Set the Split Tunnel exclude list for a device settings profile

PUT/accounts/{account_id}/devices/policy/{policy_id}/exclude

Zero TrustDevicesPoliciesCustomIncludes

Get the Split Tunnel include list for a device settings profile

GET/accounts/{account_id}/devices/policy/{policy_id}/include

Set the Split Tunnel include list for a device settings profile

PUT/accounts/{account_id}/devices/policy/{policy_id}/include

Zero TrustDevicesPoliciesCustomFallback Domains

Get the Local Domain Fallback list for a device settings profile

GET/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains

Set the Local Domain Fallback list for a device settings profile

PUT/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains

Zero TrustDevicesPosture

List device posture rules

GET/accounts/{account_id}/devices/posture

Get device posture rule details

GET/accounts/{account_id}/devices/posture/{rule_id}

Create a device posture rule

POST/accounts/{account_id}/devices/posture

Update a device posture rule

PUT/accounts/{account_id}/devices/posture/{rule_id}

Delete a device posture rule

DELETE/accounts/{account_id}/devices/posture/{rule_id}

ModelsExpand Collapse

CarbonblackInput = string

ClientCertificateInput object { certificate_id, cn }

certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36

cn: string

Common Name that is protected by the certificate.

CrowdstrikeInput object { connection_id, last_seen, operator, 6 more }

connection_id: string

Posture Integration ID.

last_seen: optional string

For more details on last seen, please refer to the Crowdstrike documentation.

operator: optional "<" or "<=" or ">" or 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

os: optional string

Os Version.

overall: optional string

Overall.

sensor_config: optional string

SensorConfig.

state: optional "online" or "offline" or "unknown"

For more details on state, please refer to the Crowdstrike documentation.

One of the following:

"online"

"offline"

"unknown"

version: optional string

Version.

versionOperator: optional "<" or "<=" or ">" or 2 more

Version Operator.

One of the following:

"<"

"<="

">"

">="

"=="

DeviceInput = FileInput { operating_system, path, exists, 2 more } or UniqueClientIDInput { id, operating_system } or DomainJoinedInput { operating_system, domain } or 17 more

The value to be checked against.

One of the following:

FileInput object { operating_system, path, exists, 2 more }

operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

exists: optional boolean

Whether or not file exists.

sha256: optional string

SHA-256.

thumbprint: optional string

Signing certificate thumbprint.

UniqueClientIDInput object { id, operating_system }

id: string

List ID.

operating_system: "android" or "ios" or "chromeos"

Operating System.

One of the following:

"android"

"ios"

"chromeos"

DomainJoinedInput object { operating_system, domain }

operating_system: "windows"

Operating System.

domain: optional string

Domain.

OSVersionInput object { operating_system, operator, version, 3 more }

operating_system: "windows"

Operating System.

operator: "<" or "<=" or ">" or 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

version: string

Version of OS.

os_distro_name: optional string

Operating System Distribution Name (linux only).

os_distro_revision: optional string

Version of OS Distribution (linux only).

os_version_extra: optional string

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

FirewallInput object { enabled, operating_system }

enabled: boolean

Enabled.

operating_system: "windows" or "mac"

Operating System.

One of the following:

"windows"

"mac"

SentineloneInput object { operating_system, path, sha256, thumbprint }

operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

sha256: optional string

SHA-256.

thumbprint: optional string

Signing certificate thumbprint.

TeamsDevicesCarbonblackInputRequest object { operating_system, path, sha256, thumbprint }

operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

sha256: optional string

SHA-256.

thumbprint: optional string

Signing certificate thumbprint.

TeamsDevicesAccessSerialNumberListInputRequest object { id }

id: string

UUID of Access List.

maxLength36

DiskEncryptionInput object { checkDisks, requireAll }

checkDisks: optional array of CarbonblackInput

List of volume names to be checked for encryption.

requireAll: optional boolean

Whether to check all disks for encryption.

TeamsDevicesApplicationInputRequest object { operating_system, path, sha256, thumbprint }

operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

Path for the application.

sha256: optional string

SHA-256.

thumbprint: optional string

Signing certificate thumbprint.

ClientCertificateInput object { certificate_id, cn }

certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36

cn: string

Common Name that is protected by the certificate.

TeamsDevicesClientCertificateV2InputRequest object { certificate_id, check_private_key, operating_system, 4 more }

certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36

check_private_key: boolean

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

cn: optional string

Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables.

extended_key_usage: optional array of "clientAuth" or "emailProtection"

List of values indicating purposes for which the certificate public key can be used.

One of the following:

"clientAuth"

"emailProtection"

locations: optional object { paths, trust_stores }

paths: optional array of string

List of paths to check for client certificate on linux.

trust_stores: optional array of "system" or "user"

List of trust stores to check for client certificate.

One of the following:

"system"

"user"

subject_alternative_names: optional array of string

List of certificate Subject Alternative Names.

TeamsDevicesAntivirusInputRequest object { update_window_days }

update_window_days: optional number

Number of days that the antivirus should be updated within.

WorkspaceOneInput object { compliance_status, connection_id }

compliance_status: "compliant" or "noncompliant" or "unknown"

Compliance Status.

One of the following:

"compliant"

"noncompliant"

"unknown"

connection_id: string

Posture Integration ID.

CrowdstrikeInput object { connection_id, last_seen, operator, 6 more }

connection_id: string

Posture Integration ID.

last_seen: optional string

For more details on last seen, please refer to the Crowdstrike documentation.

operator: optional "<" or "<=" or ">" or 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

os: optional string

Os Version.

overall: optional string

Overall.

sensor_config: optional string

SensorConfig.

state: optional "online" or "offline" or "unknown"

For more details on state, please refer to the Crowdstrike documentation.

One of the following:

"online"

"offline"

"unknown"

version: optional string

Version.

versionOperator: optional "<" or "<=" or ">" or 2 more

Version Operator.

One of the following:

"<"

"<="

">"

">="

"=="

IntuneInput object { compliance_status, connection_id }

compliance_status: "compliant" or "noncompliant" or "unknown" or 3 more

Compliance Status.

One of the following:

"compliant"

"noncompliant"

"unknown"

"notapplicable"

"ingraceperiod"

"error"

connection_id: string

Posture Integration ID.

KolideInput object { connection_id, auth_state, countOperator, issue_count }

connection_id: string

Posture Integration ID.

auth_state: optional array of "Good" or "Notified" or "Will Block" or "Blocked"

The set of Kolide device authentication states that pass the posture check. Device must match one of the specified states.

One of the following:

"Good"

"Notified"

"Will Block"

"Blocked"

countOperator: optional "<" or "<=" or ">" or 2 more

Count Operator.

One of the following:

"<"

"<="

">"

">="

"=="

issue_count: optional string

The Number of Issues.

TaniumInput object { connection_id, eid_last_seen, operator, 3 more }

connection_id: string

Posture Integration ID.

eid_last_seen: optional string

For more details on eid last seen, refer to the Tanium documentation.

operator: optional "<" or "<=" or ">" or 2 more

Operator to evaluate risk_level or eid_last_seen.

One of the following:

"<"

"<="

">"

">="

"=="

risk_level: optional "low" or "medium" or "high" or "critical"

For more details on risk level, refer to the Tanium documentation.

One of the following:

"low"

"medium"

"high"

"critical"

scoreOperator: optional "<" or "<=" or ">" or 2 more

Score Operator.

One of the following:

"<"

"<="

">"

">="

"=="

total_score: optional number

For more details on total score, refer to the Tanium documentation.

SentineloneS2sInput object { connection_id, active_threats, infected, 4 more }

connection_id: string

Posture Integration ID.

active_threats: optional number

The Number of active threats.

infected: optional boolean

Whether device is infected.

is_active: optional boolean

Whether device is active.

network_status: optional "connected" or "disconnected" or "disconnecting" or "connecting"

Network status of device.

One of the following:

"connected"

"disconnected"

"disconnecting"

"connecting"

operational_state: optional "na" or "partially_disabled" or "auto_fully_disabled" or 4 more

Agent operational state.

One of the following:

"na"

"partially_disabled"

"auto_fully_disabled"

"fully_disabled"

"auto_partially_disabled"

"disabled_error"

"db_corruption"

operator: optional "<" or "<=" or ">" or 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

TeamsDevicesCustomS2sInputRequest object { connection_id, operator, score }

connection_id: string

Posture Integration ID.

operator: "<" or "<=" or ">" or 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

score: number

A value between 0-100 assigned to devices set by the 3rd party posture provider.

DeviceMatch object { platform }

platform: optional "windows" or "mac" or "linux" or 3 more

One of the following:

"windows"

"mac"

"linux"

"android"

"ios"

"chromeos"

DevicePostureRule object { id, description, expiration, 5 more }

id: optional string

API UUID.

maxLength36

description: optional string

The description of the device posture rule.

expiration: optional string

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

input: optional DeviceInput

The value to be checked against.

match: optional array of DeviceMatch { platform }

The conditions that the client must match to run the rule.

platform: optional "windows" or "mac" or "linux" or 3 more

One of the following:

"windows"

"mac"

"linux"

"android"

"ios"

"chromeos"

The name of the device posture rule.

schedule: optional string

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

type: optional "file" or "application" or "tanium" or 20 more

The type of device posture rule.

One of the following:

"file"

"application"

"tanium"

"gateway"

"warp"

"disk_encryption"

"serial_number"

"sentinelone"

"carbonblack"

"firewall"

"os_version"

"domain_joined"

"client_certificate"

"client_certificate_v2"

"antivirus"

"unique_client_id"

"kolide"

"tanium_s2s"

"crowdstrike_s2s"

"intune"

"workspace_one"

"sentinelone_s2s"

"custom_s2s"

DiskEncryptionInput object { checkDisks, requireAll }

checkDisks: optional array of CarbonblackInput

List of volume names to be checked for encryption.

requireAll: optional boolean

Whether to check all disks for encryption.

DomainJoinedInput object { operating_system, domain }

operating_system: "windows"

Operating System.

domain: optional string

Domain.

FileInput object { operating_system, path, exists, 2 more }

operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

exists: optional boolean

Whether or not file exists.

sha256: optional string

SHA-256.

thumbprint: optional string

Signing certificate thumbprint.

FirewallInput object { enabled, operating_system }

enabled: boolean

Enabled.

operating_system: "windows" or "mac"

Operating System.

One of the following:

"windows"

"mac"

IntuneInput object { compliance_status, connection_id }

compliance_status: "compliant" or "noncompliant" or "unknown" or 3 more

Compliance Status.

One of the following:

"compliant"

"noncompliant"

"unknown"

"notapplicable"

"ingraceperiod"

"error"

connection_id: string

Posture Integration ID.

KolideInput object { connection_id, auth_state, countOperator, issue_count }

connection_id: string

Posture Integration ID.

auth_state: optional array of "Good" or "Notified" or "Will Block" or "Blocked"

The set of Kolide device authentication states that pass the posture check. Device must match one of the specified states.

One of the following:

"Good"

"Notified"

"Will Block"

"Blocked"

countOperator: optional "<" or "<=" or ">" or 2 more

Count Operator.

One of the following:

"<"

"<="

">"

">="

"=="

issue_count: optional string

The Number of Issues.

OSVersionInput object { operating_system, operator, version, 3 more }

operating_system: "windows"

Operating System.

operator: "<" or "<=" or ">" or 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

version: string

Version of OS.

os_distro_name: optional string

Operating System Distribution Name (linux only).

os_distro_revision: optional string

Version of OS Distribution (linux only).

os_version_extra: optional string

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

SentineloneInput object { operating_system, path, sha256, thumbprint }

operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

sha256: optional string

SHA-256.

thumbprint: optional string

Signing certificate thumbprint.

SentineloneS2sInput object { connection_id, active_threats, infected, 4 more }

connection_id: string

Posture Integration ID.

active_threats: optional number

The Number of active threats.

infected: optional boolean

Whether device is infected.

is_active: optional boolean

Whether device is active.

network_status: optional "connected" or "disconnected" or "disconnecting" or "connecting"

Network status of device.

One of the following:

"connected"

"disconnected"

"disconnecting"

"connecting"

operational_state: optional "na" or "partially_disabled" or "auto_fully_disabled" or 4 more

Agent operational state.

One of the following:

"na"

"partially_disabled"

"auto_fully_disabled"

"fully_disabled"

"auto_partially_disabled"

"disabled_error"

"db_corruption"

operator: optional "<" or "<=" or ">" or 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

TaniumInput object { connection_id, eid_last_seen, operator, 3 more }

connection_id: string

Posture Integration ID.

eid_last_seen: optional string

For more details on eid last seen, refer to the Tanium documentation.

operator: optional "<" or "<=" or ">" or 2 more

Operator to evaluate risk_level or eid_last_seen.

One of the following:

"<"

"<="

">"

">="

"=="

risk_level: optional "low" or "medium" or "high" or "critical"

For more details on risk level, refer to the Tanium documentation.

One of the following:

"low"

"medium"

"high"

"critical"

scoreOperator: optional "<" or "<=" or ">" or 2 more

Score Operator.

One of the following:

"<"

"<="

">"

">="

"=="

total_score: optional number

For more details on total score, refer to the Tanium documentation.

UniqueClientIDInput object { id, operating_system }

id: string

List ID.

operating_system: "android" or "ios" or "chromeos"

Operating System.

One of the following:

"android"

"ios"

"chromeos"

WorkspaceOneInput object { compliance_status, connection_id }

compliance_status: "compliant" or "noncompliant" or "unknown"

Compliance Status.

One of the following:

"compliant"

"noncompliant"

"unknown"

connection_id: string

Posture Integration ID.

PostureDeleteResponse object { id }

id: optional string

API UUID.

maxLength36

Zero TrustDevicesPostureIntegrations

List your device posture integrations

GET/accounts/{account_id}/devices/posture/integration

Get device posture integration details

GET/accounts/{account_id}/devices/posture/integration/{integration_id}

Create a device posture integration

POST/accounts/{account_id}/devices/posture/integration

Update a device posture integration

PATCH/accounts/{account_id}/devices/posture/integration/{integration_id}

Delete a device posture integration

DELETE/accounts/{account_id}/devices/posture/integration/{integration_id}

ModelsExpand Collapse

Integration object { id, config, interval, 2 more }

id: optional string

API UUID.

maxLength36

config: optional object { api_url, auth_url, client_id }

The configuration object containing third-party integration information.

api_url: string

The Workspace One API URL provided in the Workspace One Admin Dashboard.

auth_url: string

The Workspace One Authorization URL depending on your region.

client_id: string

The Workspace One client ID provided in the Workspace One Admin Dashboard.

interval: optional string

The interval between each posture check with the third-party API. Use m for minutes (e.g. 5m) and h for hours (e.g. 12h).

The name of the device posture integration.

type: optional "workspace_one" or "crowdstrike_s2s" or "uptycs" or 5 more

The type of device posture integration.

One of the following:

"workspace_one"

"crowdstrike_s2s"

"uptycs"

"intune"

"kolide"

"tanium_s2s"

"sentinelone_s2s"

"custom_s2s"

IntegrationDeleteResponse = unknown or string

One of the following:

unknown

string

Zero TrustDevicesRevoke

Revoke devices (deprecated)

Deprecated

POST/accounts/{account_id}/devices/revoke

ModelsExpand Collapse

RevokeCreateResponse = unknown or string

One of the following:

unknown

string

Zero TrustDevicesSettings

Get device settings for a Zero Trust account

GET/accounts/{account_id}/devices/settings

Update device settings for a Zero Trust account

PUT/accounts/{account_id}/devices/settings

Patch device settings for a Zero Trust account

PATCH/accounts/{account_id}/devices/settings

Reset device settings for a Zero Trust account with defaults. This turns off all proxying.

DELETE/accounts/{account_id}/devices/settings

ModelsExpand Collapse

DeviceSettings object { disable_for_time, external_emergency_signal_enabled, external_emergency_signal_fingerprint, 6 more }

disable_for_time: optional number

Sets the time limit, in seconds, that a user can use an override code to bypass WARP.

external_emergency_signal_enabled: optional boolean

Controls whether the external emergency disconnect feature is enabled.

external_emergency_signal_fingerprint: optional string

The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server’s identity. The device will ignore any response if the server’s certificate fingerprint does not exactly match this value.

external_emergency_signal_interval: optional string

The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., “5m”, “2m30s”, “1h”). Minimum 30 seconds.

external_emergency_signal_url: optional string

The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host.

gateway_proxy_enabled: optional boolean

Enable gateway proxy filtering on TCP.

gateway_udp_proxy_enabled: optional boolean

Enable gateway proxy filtering on UDP.

root_certificate_installation_enabled: optional boolean

Enable installation of cloudflare managed root certificate.

use_zt_virtual_ip: optional boolean

Enable using CGNAT virtual IPv4.

Zero TrustDevicesUnrevoke

Unrevoke devices (deprecated)

Deprecated

POST/accounts/{account_id}/devices/unrevoke

ModelsExpand Collapse

UnrevokeCreateResponse = unknown or string

One of the following:

unknown

string

Zero TrustDevicesOverride Codes

Get override codes (deprecated)

Deprecated

GET/accounts/{account_id}/devices/{device_id}/override_codes

Get override codes

GET/accounts/{account_id}/devices/registrations/{registration_id}/override_codes

ModelsExpand Collapse

OverrideCodeListResponse = unknown

OverrideCodeGetResponse object { disable_for_time }

disable_for_time: optional map[string]

Zero TrustIdentity Providers

List Access identity providers

GET/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers

Get an Access identity provider

GET/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}

Add an Access identity provider

POST/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers

Update an Access identity provider

PUT/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}

Delete an Access identity provider

DELETE/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}

ModelsExpand Collapse

AzureAD object { config, name, type, 2 more }

config: object { claims, client_id, client_secret, 5 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

conditional_access_enabled: optional boolean

Should Cloudflare try to load authentication contexts from your account

directory_id: optional string

Your Azure directory uuid

email_claim_name: optional string

The claim name for email in the id_token response.

prompt: optional "login" or "select_account" or "none"

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn’t presented with any interactive prompt. If the request can’t be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

One of the following:

"login"

"select_account"

"none"

support_groups: optional boolean

Should Cloudflare try to load groups from your account

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

GenericOAuthConfig object { client_id, client_secret }

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

IdentityProvider = AzureAD { config, name, type, 2 more } or object { config, name, type, 2 more } or object { config, name, type, 2 more } or 11 more

One of the following:

AzureAD object { config, name, type, 2 more }

config: object { claims, client_id, client_secret, 5 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

conditional_access_enabled: optional boolean

Should Cloudflare try to load authentication contexts from your account

directory_id: optional string

Your Azure directory uuid

email_claim_name: optional string

The claim name for email in the id_token response.

prompt: optional "login" or "select_account" or "none"

One of the following:

"login"

"select_account"

"none"

support_groups: optional boolean

Should Cloudflare try to load groups from your account

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessCentrify object { config, name, type, 2 more }

config: object { centrify_account, centrify_app_id, claims, 3 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

centrify_account: optional string

Your centrify account url

centrify_app_id: optional string

Your centrify app id

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

email_claim_name: optional string

The claim name for email in the id_token response.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessFacebook object { config, name, type, 2 more }

config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessGitHub object { config, name, type, 2 more }

config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessGoogle object { config, name, type, 2 more }

config: object { claims, client_id, client_secret, email_claim_name }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

email_claim_name: optional string

The claim name for email in the id_token response.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessGoogleApps object { config, name, type, 2 more }

config: object { apps_domain, claims, client_id, 2 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

apps_domain: optional string

Your companies TLD

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

email_claim_name: optional string

The claim name for email in the id_token response.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessLinkedin object { config, name, type, 2 more }

config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessOIDC object { config, name, type, 2 more }

config: object { auth_url, certs_url, claims, 6 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

auth_url: optional string

The authorization_endpoint URL of your IdP

certs_url: optional string

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

email_claim_name: optional string

The claim name for email in the id_token response.

pkce_enabled: optional boolean

Enable Proof Key for Code Exchange (PKCE)

scopes: optional array of string

OAuth scopes

token_url: optional string

The token_endpoint URL of your IdP

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessOkta object { config, name, type, 2 more }

config: object { authorization_server_id, claims, client_id, 3 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

authorization_server_id: optional string

Your okta authorization server id

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

email_claim_name: optional string

The claim name for email in the id_token response.

okta_account: optional string

Your okta account url

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessOnelogin object { config, name, type, 2 more }

config: object { claims, client_id, client_secret, 2 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

email_claim_name: optional string

The claim name for email in the id_token response.

onelogin_account: optional string

Your OneLogin account url

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessPingone object { config, name, type, 2 more }

config: object { claims, client_id, client_secret, 2 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

email_claim_name: optional string

The claim name for email in the id_token response.

ping_env_id: optional string

Your PingOne environment identifier

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessSAML object { config, name, type, 2 more }

config: object { attributes, email_attribute_name, header_attributes, 4 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

attributes: optional array of string

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

email_attribute_name: optional string

The attribute name for email in the SAML response.

header_attributes: optional array of object { attribute_name, header_name }

Add a list of attribute names that will be returned in the response header from the Access callback.

attribute_name: optional string

attribute name from the IDP

header_name: optional string

header that will be added on the request to the origin

idp_public_certs: optional array of string

X509 certificate to verify the signature in the SAML authentication response

issuer_url: optional string

IdP Entity ID or Issuer URL

sign_request: optional boolean

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

sso_target_url: optional string

URL to send the SAML authentication requests to

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessYandex object { config, name, type, 2 more }

config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessOnetimepin object { config, name, type, 2 more }

config: object { redirect_url }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

redirect_url: optional string

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

IdentityProviderSCIMConfig object { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: optional boolean

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: optional "automatic" or "reauth" or "no_action"

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

"automatic"

"reauth"

"no_action"

scim_base_url: optional string

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: optional boolean

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: optional string

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: optional boolean

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

IdentityProviderType = "onetimepin" or "azureAD" or "saml" or 11 more

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

"onetimepin"

"azureAD"

"saml"

"centrify"

"facebook"

"github"

"google-apps"

"google"

"linkedin"

"oidc"

"okta"

"onelogin"

"pingone"

"yandex"

IdentityProviderListResponse = AzureAD { config, name, type, 2 more } or object { config, name, type, 2 more } or object { config, name, type, 2 more } or 10 more

One of the following:

AzureAD object { config, name, type, 2 more }

config: object { claims, client_id, client_secret, 5 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

conditional_access_enabled: optional boolean

Should Cloudflare try to load authentication contexts from your account

directory_id: optional string

Your Azure directory uuid

email_claim_name: optional string

The claim name for email in the id_token response.

prompt: optional "login" or "select_account" or "none"

One of the following:

"login"

"select_account"

"none"

support_groups: optional boolean

Should Cloudflare try to load groups from your account

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessCentrify object { config, name, type, 2 more }

config: object { centrify_account, centrify_app_id, claims, 3 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

centrify_account: optional string

Your centrify account url

centrify_app_id: optional string

Your centrify app id

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

email_claim_name: optional string

The claim name for email in the id_token response.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessFacebook object { config, name, type, 2 more }

config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessGitHub object { config, name, type, 2 more }

config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessGoogle object { config, name, type, 2 more }

config: object { claims, client_id, client_secret, email_claim_name }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

email_claim_name: optional string

The claim name for email in the id_token response.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessGoogleApps object { config, name, type, 2 more }

config: object { apps_domain, claims, client_id, 2 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

apps_domain: optional string

Your companies TLD

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

email_claim_name: optional string

The claim name for email in the id_token response.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessLinkedin object { config, name, type, 2 more }

config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessOIDC object { config, name, type, 2 more }

config: object { auth_url, certs_url, claims, 6 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

auth_url: optional string

The authorization_endpoint URL of your IdP

certs_url: optional string

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

email_claim_name: optional string

The claim name for email in the id_token response.

pkce_enabled: optional boolean

Enable Proof Key for Code Exchange (PKCE)

scopes: optional array of string

OAuth scopes

token_url: optional string

The token_endpoint URL of your IdP

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessOkta object { config, name, type, 2 more }

config: object { authorization_server_id, claims, client_id, 3 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

authorization_server_id: optional string

Your okta authorization server id

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

email_claim_name: optional string

The claim name for email in the id_token response.

okta_account: optional string

Your okta account url

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessOnelogin object { config, name, type, 2 more }

config: object { claims, client_id, client_secret, 2 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

email_claim_name: optional string

The claim name for email in the id_token response.

onelogin_account: optional string

Your OneLogin account url

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessPingone object { config, name, type, 2 more }

config: object { claims, client_id, client_secret, 2 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: optional array of string

Custom claims

client_id: optional string

Your OAuth Client ID

client_secret: optional string

Your OAuth Client Secret

email_claim_name: optional string

The claim name for email in the id_token response.

ping_env_id: optional string

Your PingOne environment identifier

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessSAML object { config, name, type, 2 more }

config: object { attributes, email_attribute_name, header_attributes, 4 more }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

attributes: optional array of string

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

email_attribute_name: optional string

The attribute name for email in the SAML response.

header_attributes: optional array of object { attribute_name, header_name }

Add a list of attribute names that will be returned in the response header from the Access callback.

attribute_name: optional string

attribute name from the IDP

header_name: optional string

header that will be added on the request to the origin

idp_public_certs: optional array of string

X509 certificate to verify the signature in the SAML authentication response

issuer_url: optional string

IdP Entity ID or Issuer URL

sign_request: optional boolean

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

sso_target_url: optional string

URL to send the SAML authentication requests to

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

AccessYandex object { config, name, type, 2 more }

config: GenericOAuthConfig { client_id, client_secret }

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

The name of the identity provider, shown to users on the login page.

type: IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: optional string

UUID.

maxLength36

scim_config: optional IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

IdentityProviderDeleteResponse object { id }

id: optional string

UUID.

maxLength36

Zero TrustIdentity ProvidersSCIM

Zero TrustIdentity ProvidersSCIMGroups

List SCIM Group resources

GET/accounts/{account_id}/access/identity_providers/{identity_provider_id}/scim/groups

Zero TrustIdentity ProvidersSCIMUsers

List SCIM User resources

GET/accounts/{account_id}/access/identity_providers/{identity_provider_id}/scim/users

Zero TrustOrganizations

Get your Zero Trust organization

GET/{accounts_or_zones}/{account_or_zone_id}/access/organizations

Create your Zero Trust organization

POST/{accounts_or_zones}/{account_or_zone_id}/access/organizations

Update your Zero Trust organization

PUT/{accounts_or_zones}/{account_or_zone_id}/access/organizations

Revoke all Access tokens for a user

POST/{accounts_or_zones}/{account_or_zone_id}/access/organizations/revoke_user

ModelsExpand Collapse

LoginDesign object { background_color, footer_text, header_text, 2 more }

background_color: optional string

The background color on your login page.

footer_text: optional string

The text at the bottom of your login page.

header_text: optional string

The text at the top of your login page.

logo_path: optional string

The URL of the logo on your login page.

text_color: optional string

The text color on your login page.

Organization object { allow_authenticate_via_warp, auth_domain, auto_redirect_to_identity, 13 more }

allow_authenticate_via_warp: optional boolean

When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.

auth_domain: optional string

The unique subdomain assigned to your Zero Trust organization.

auto_redirect_to_identity: optional boolean

When set to true, users skip the identity provider selection step during login.

custom_pages: optional object { forbidden, identity_denied }

forbidden: optional string

The uid of the custom page to use when a user is denied access after failing a non-identity rule.

identity_denied: optional string

The uid of the custom page to use when a user is denied access.

deny_unmatched_requests: optional boolean

Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the deny_unmatched_requests_exempted_zone_names array.

deny_unmatched_requests_exempted_zone_names: optional array of string

Contains zone names to exempt from the deny_unmatched_requests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.

is_ui_read_only: optional boolean

Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.

login_design: optional LoginDesign { background_color, footer_text, header_text, 2 more }

mfa_config: optional object { allowed_authenticators, amr_matching_session_duration, required_aaguids, session_duration }

Configures multi-factor authentication (MFA) settings for an organization.

allowed_authenticators: optional array of "totp" or "biometrics" or "security_key" or "ssh_piv_key"

Lists the MFA methods that users can authenticate with.

One of the following:

"totp"

"biometrics"

"security_key"

"ssh_piv_key"

amr_matching_session_duration: optional string

Allows a user to skip MFA via Authentication Method Reference (AMR) matching when the AMR claim provided by the IdP the user used to authenticate contains “mfa”. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days).

required_aaguids: optional string

Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs.

formatuuid

session_duration: optional string

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

mfa_required_for_all_apps: optional boolean

Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.

mfa_ssh_piv_key_requirements: optional object { pin_policy, require_fips_device, ssh_key_size, 2 more }

Configures SSH PIV key requirements for MFA using hardware security keys.

pin_policy: optional "never" or "once" or "always"

Defines when a PIN is required to use the SSH key. Valid values: never (no PIN required), once (PIN required once per session), always (PIN required for each use).

One of the following:

"never"

"once"

"always"

require_fips_device: optional boolean

Requires the SSH PIV key to be stored on a FIPS 140-2 Level 1 or higher validated device.

ssh_key_size: optional array of 256 or 384 or 521 or 3 more

Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. Ed25519 has a fixed key size and does not accept this parameter.

One of the following:

256

384

521

2048

3072

4096

ssh_key_type: optional array of "ecdsa" or "ed25519" or "rsa"

Specifies the allowed SSH key types. Valid values are ecdsa, ed25519, and rsa.

One of the following:

"ecdsa"

"ed25519"

"rsa"

touch_policy: optional "never" or "always" or "cached"

Defines when physical touch is required to use the SSH key. Valid values: never (no touch required), always (touch required for each use), cached (touch cached for 15 seconds).

One of the following:

"never"

"always"

"cached"

The name of your Zero Trust organization.

session_duration: optional string

The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

ui_read_only_toggle_reason: optional string

A description of the reason why the UI read only field is being toggled.

user_seat_expiration_inactive_time: optional string

The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

warp_auth_session_duration: optional string

The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.

OrganizationRevokeUsersResponse = true or false

One of the following:

true

false

Zero TrustOrganizationsDOH

Get your Zero Trust organization DoH settings

GET/accounts/{account_id}/access/organizations/doh

Update your Zero Trust organization DoH settings

PUT/accounts/{account_id}/access/organizations/doh

ModelsExpand Collapse

DOHGetResponse object { id, client_id, doh_jwt_duration, 3 more }

id: optional string

The ID of the service token.

maxLength36

client_id: optional string

The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header.

doh_jwt_duration: optional string

The duration the DoH JWT is valid for. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account.

duration: optional string

The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).

expires_at: optional string

formatdate-time

The name of the service token.

DOHUpdateResponse object { id, client_id, doh_jwt_duration, 3 more }

id: optional string

The ID of the service token.

maxLength36

client_id: optional string

The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header.

doh_jwt_duration: optional string

duration: optional string

The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).

expires_at: optional string

formatdate-time

The name of the service token.

Zero TrustSeats

Update a user seat

PATCH/accounts/{account_id}/access/seats

ModelsExpand Collapse

Seat object { access_seat, created_at, gateway_seat, 2 more }

access_seat: optional boolean

True if the seat is part of Access.

created_at: optional string

formatdate-time

gateway_seat: optional boolean

True if the seat is part of Gateway.

seat_uid: optional string

The unique API identifier for the Zero Trust seat.

maxLength36

updated_at: optional string

formatdate-time

Zero TrustAccess

Zero TrustAccessAI Controls

Zero TrustAccessAI ControlsMcp

ModelsExpand Collapse

PortalListResponse object { id, hostname, name, 8 more }

id: string

portal id

maxLength32

minLength1

hostname: string

maxLength350

servers: array of object { id, auth_type, hostname, 16 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

default_disabled: optional boolean

description: optional string

maxLength512

error: optional string

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

on_behalf: optional boolean

status: optional string

updated_prompts: optional array of object { name, description, enabled, 2 more }

description: optional string

enabled: optional boolean

portal_alias: optional string

server_alias: optional string

updated_tools: optional array of object { name, description, enabled, 2 more }

description: optional string

enabled: optional boolean

portal_alias: optional string

server_alias: optional string

allow_code_mode: optional boolean

Allow remote code execution in Dynamic Workers (beta)

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

modified_at: optional string

formatdate-time

modified_by: optional string

secure_web_gateway: optional boolean

Route outbound MCP traffic through Zero Trust Secure Web Gateway

PortalCreateResponse object { id, hostname, name, 8 more }

id: string

portal id

maxLength32

minLength1

hostname: string

maxLength350

servers: array of object { id, auth_type, hostname, 16 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

default_disabled: optional boolean

description: optional string

maxLength512

error: optional string

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

on_behalf: optional boolean

status: optional string

updated_prompts: optional array of object { name, description, enabled, 2 more }

description: optional string

enabled: optional boolean

portal_alias: optional string

server_alias: optional string

updated_tools: optional array of object { name, description, enabled, 2 more }

description: optional string

enabled: optional boolean

portal_alias: optional string

server_alias: optional string

allow_code_mode: optional boolean

Allow remote code execution in Dynamic Workers (beta)

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

modified_at: optional string

formatdate-time

modified_by: optional string

secure_web_gateway: optional boolean

Route outbound MCP traffic through Zero Trust Secure Web Gateway

PortalReadResponse object { id, hostname, name, 8 more }

id: string

portal id

maxLength32

minLength1

hostname: string

maxLength350

servers: array of object { id, auth_type, hostname, 16 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

default_disabled: optional boolean

description: optional string

maxLength512

error: optional string

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

on_behalf: optional boolean

status: optional string

updated_prompts: optional array of object { name, description, enabled, 2 more }

description: optional string

enabled: optional boolean

portal_alias: optional string

server_alias: optional string

updated_tools: optional array of object { name, description, enabled, 2 more }

description: optional string

enabled: optional boolean

portal_alias: optional string

server_alias: optional string

allow_code_mode: optional boolean

Allow remote code execution in Dynamic Workers (beta)

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

modified_at: optional string

formatdate-time

modified_by: optional string

secure_web_gateway: optional boolean

Route outbound MCP traffic through Zero Trust Secure Web Gateway

PortalUpdateResponse object { id, hostname, name, 8 more }

id: string

portal id

maxLength32

minLength1

hostname: string

maxLength350

servers: array of object { id, auth_type, hostname, 16 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

default_disabled: optional boolean

description: optional string

maxLength512

error: optional string

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

on_behalf: optional boolean

status: optional string

updated_prompts: optional array of object { name, description, enabled, 2 more }

description: optional string

enabled: optional boolean

portal_alias: optional string

server_alias: optional string

updated_tools: optional array of object { name, description, enabled, 2 more }

description: optional string

enabled: optional boolean

portal_alias: optional string

server_alias: optional string

allow_code_mode: optional boolean

Allow remote code execution in Dynamic Workers (beta)

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

modified_at: optional string

formatdate-time

modified_by: optional string

secure_web_gateway: optional boolean

Route outbound MCP traffic through Zero Trust Secure Web Gateway

PortalDeleteResponse object { id, hostname, name, 7 more }

id: string

portal id

maxLength32

minLength1

hostname: string

maxLength350

allow_code_mode: optional boolean

Allow remote code execution in Dynamic Workers (beta)

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

modified_at: optional string

formatdate-time

modified_by: optional string

secure_web_gateway: optional boolean

Route outbound MCP traffic through Zero Trust Secure Web Gateway

ModelsExpand Collapse

ServerListResponse object { id, auth_type, hostname, 14 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

error: optional string

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

status: optional string

updated_prompts: optional array of object { name, alias, description, enabled }

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

updated_tools: optional array of object { name, alias, description, enabled }

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

ServerCreateResponse object { id, auth_type, hostname, 14 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

error: optional string

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

status: optional string

updated_prompts: optional array of object { name, alias, description, enabled }

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

updated_tools: optional array of object { name, alias, description, enabled }

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

ServerReadResponse object { id, auth_type, hostname, 14 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

error: optional string

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

status: optional string

updated_prompts: optional array of object { name, alias, description, enabled }

alias: optional string

maxLength40

description: optional string

enabled<

Zero Trust

Zero TrustDevices

ModelsExpand Collapse

Zero TrustDevicesDevices

ModelsExpand Collapse

Zero TrustDevicesResilience

Zero TrustDevicesResilienceGlobal WARP Override

ModelsExpand Collapse

Zero TrustDevicesRegistrations

ModelsExpand Collapse

Zero TrustDevicesDEX Tests

ModelsExpand Collapse

Zero TrustDevicesIP Profiles

ModelsExpand Collapse

Zero TrustDevicesNetworks

ModelsExpand Collapse

Zero TrustDevicesFleet Status

ModelsExpand Collapse

Zero TrustDevicesPolicies

ModelsExpand Collapse

Zero TrustDevicesPoliciesDefault

ModelsExpand Collapse

Zero TrustDevicesPoliciesDefaultExcludes

Zero TrustDevicesPoliciesDefaultIncludes

Zero TrustDevicesPoliciesDefaultFallback Domains

Zero TrustDevicesPoliciesDefaultCertificates

Zero TrustDevicesPoliciesCustom

Zero TrustDevicesPoliciesCustomExcludes

Zero TrustDevicesPoliciesCustomIncludes

Zero TrustDevicesPoliciesCustomFallback Domains

Zero TrustDevicesPosture

ModelsExpand Collapse

Zero TrustDevicesPostureIntegrations

ModelsExpand Collapse

Zero TrustDevicesRevoke

ModelsExpand Collapse

Zero TrustDevicesSettings

ModelsExpand Collapse

Zero TrustDevicesUnrevoke

ModelsExpand Collapse

Zero TrustDevicesOverride Codes

ModelsExpand Collapse

Zero TrustIdentity Providers

ModelsExpand Collapse

Zero TrustIdentity ProvidersSCIM

Zero TrustIdentity ProvidersSCIMGroups

Zero TrustIdentity ProvidersSCIMUsers

Zero TrustOrganizations

ModelsExpand Collapse

Zero TrustOrganizationsDOH

ModelsExpand Collapse

Zero TrustSeats

ModelsExpand Collapse

Zero TrustAccess

Zero TrustAccessAI Controls

Zero TrustAccessAI ControlsMcp

Zero TrustAccessAI ControlsMcpPortals

ModelsExpand Collapse

Zero TrustAccessAI ControlsMcpServers