Zero Trust

zero_trust

zero_trust.access

Domain types

AccessDevicePostureRule = { device_posture }

Enforces a device posture rule has run successfully

AccessRule = | | { auth_context } | 18 more...

Matches an Access group.

AnyValidServiceTokenRule = { any_valid_service_token }

Matches any valid Access Service Token

AuthenticationMethodRule = { auth_method }

Enforce different MFA options

AzureGroupRule = { azureAD }

Matches an Azure group. Requires an Azure identity provider.

CertificateRule = { certificate }

Matches any valid client certificate.

CountryRule = { geo }

Matches a specific country

DomainRule = { email_domain }

Match an entire email domain.

EmailListRule = { email_list }

Matches an email address from a list.

EmailRule = { email }

Matches a specific email.

EveryoneRule = { everyone }

Matches everyone.

ExternalEvaluationRule = { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

GitHubOrganizationRule = { github-organization }

Matches a Github organization. Requires a Github identity provider.

GroupRule = { group }

Matches an Access group.

GSuiteGroupRule = { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

IPListRule = { ip_list }

Matches an IP address from a list.

IPRule = { ip }

Matches an IP address block.

OktaGroupRule = { okta }

Matches an Okta group. Requires an Okta identity provider.

SAMLGroupRule = { saml }

Matches a SAML group. Requires a SAML identity provider.

ServiceTokenRule = { service_token }

Matches a specific Access Service Token

Zero TrustAccess

Applications

zero_trust.access.applications

Methods

Add An Access Application -> Envelope<{ domain, type, id, 27 more... } | { id, allowed_idps, app_launcher_visible, 12 more... } | { domain, type, id, 27 more... } | 6 more...>
post/{account_or_zone}/{account_or_zone_id}/access/apps

Adds a new application to Access.

Delete An Access Application -> Envelope<{ id }>
delete/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}

Deletes an application from Access.

Get An Access Application -> Envelope<{ domain, type, id, 27 more... } | { id, allowed_idps, app_launcher_visible, 12 more... } | { domain, type, id, 27 more... } | 6 more...>
get/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}

Fetches information about an Access application.

List Access Applications -> SinglePage<{ domain, type, id, 27 more... } | { id, allowed_idps, app_launcher_visible, 12 more... } | { domain, type, id, 27 more... } | 6 more...>
get/{account_or_zone}/{account_or_zone_id}/access/apps

Lists all Access applications in an account or zone.

Revoke Application Tokens -> Envelope<unknown>
post/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/revoke_tokens

Revokes all tokens issued for an application.

Update An Access Application -> Envelope<{ domain, type, id, 27 more... } | { id, allowed_idps, app_launcher_visible, 12 more... } | { domain, type, id, 27 more... } | 6 more...>
put/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}

Updates an Access application.

Domain types

AllowedHeaders = string
AllowedIdPs = string

The identity providers selected for application.

AllowedMethods = "GET" | "POST" | "HEAD" | 6 more...
AllowedOrigins = string
AppID = string

Identifier

Application = { domain, type, id, 19 more... } | { id, allowed_idps, app_launcher_visible, 9 more... } | { domain, type, id, 19 more... } | 5 more...
ApplicationPolicy = { id, approval_groups, approval_required, 11 more... }
ApplicationSCIMConfig = { idp_uid, remote_uri, authentication, 3 more... }

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

ApplicationType = "self_hosted" | "saas" | "ssh" | 7 more...

The application type.

CORSHeaders = { allow_all_headers, allow_all_methods, allow_all_origins, 5 more... }
Decision = "allow" | "deny" | "non_identity" | 1 more...

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

OIDCSaaSApp = { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 13 more... }
SaaSAppNameIDFormat = "id" | "email"

The format of the name identifier sent to the SaaS application.

SAMLSaaSApp = { auth_type, consumer_service_url, created_at, 10 more... }
SCIMConfigAuthenticationHTTPBasic = { password, scheme, user }

Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.

SCIMConfigAuthenticationOauth2 = { authorization_url, client_id, client_secret, 3 more... }

Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.

SCIMConfigAuthenticationOAuthBearerToken = { token, scheme }

Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.

SCIMConfigMapping = { schema, enabled, filter, 3 more... }

Transformations and filters applied to resources before they are provisioned in the remote SCIM service.

SelfHostedDomains = string

A domain that Access will secure.

zero_trust.access.applications.cas

Methods

Create A Short Lived Certificate CA -> Envelope<>
post/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/ca

Generates a new short-lived certificate CA and public key.

Delete A Short Lived Certificate CA -> Envelope<{ id }>
delete/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/ca

Deletes a short-lived certificate CA.

Get A Short Lived Certificate CA -> Envelope<>
get/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/ca

Fetches a short-lived certificate CA and its public key.

List Short Lived Certificate CAs -> SinglePage<>
get/{account_or_zone}/{account_or_zone_id}/access/apps/ca

Lists short-lived certificate CAs and their public keys.

Domain types

CA = { id, aud, public_key }

zero_trust.access.applications.policies

Methods

Create An Access Application Policy -> Envelope<>
post/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/policies

Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array.

Delete An Access Application Policy -> Envelope<{ id }>
delete/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}

Deletes an Access policy specific to an application. To delete a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.

Get An Access Application Policy -> Envelope<>
get/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}

Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application.

List Access Application Policies -> SinglePage<>
get/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/policies

Lists Access policies configured for an application. Returns both exclusively scoped and reusable policies used by the application.

Update An Access Application Policy -> Envelope<>
put/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}

Updates an Access policy specific to an application. To update a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.

zero_trust.access.applications.policy_tests

Methods

Start Access Policy Test -> { id, status }
post/accounts/{account_id}/access/policy-tests

Starts an Access policy test.

Get The Current Status Of A Given Access Policy Test -> { id, pages_processed, percent_approved, 6 more... }
get/accounts/{account_id}/access/policy-tests/{policy_test_id}

Fetches the current status of a given Access policy test.

zero_trust.access.applications.policy_tests.users

Methods

Get An Access Policy Test Users Page -> Array<{ id, email, name, 1 more... }>
get/accounts/{account_id}/access/policy-tests/{policy_test_id}/users

Fetches a single page of user results from an Access policy test.

zero_trust.access.applications.user_policy_checks

Methods

Test Access Policies -> Envelope<{ app_state, user_identity }>
get/{account_or_zone}/{account_or_zone_id}/access/apps/{app_id}/user_policy_checks

Tests if a specific user has permission to access an application.

Domain types

UserPolicyCheckGeo = { country }

zero_trust.access.bookmarks

Methods

Create A Bookmark Application -> Envelope<>
post/accounts/{account_id}/access/bookmarks/{bookmark_id}

Create a new Bookmark application.

Delete A Bookmark Application -> Envelope<{ id }>
delete/accounts/{account_id}/access/bookmarks/{bookmark_id}

Deletes a Bookmark application.

Get A Bookmark Application -> Envelope<>
get/accounts/{account_id}/access/bookmarks/{bookmark_id}

Fetches a single Bookmark application.

List Bookmark Applications -> SinglePage<>
get/accounts/{account_id}/access/bookmarks

Lists Bookmark applications.

Update A Bookmark Application -> Envelope<>
put/accounts/{account_id}/access/bookmarks/{bookmark_id}

Updates a configured Bookmark application.

Domain types

Bookmark = { id, app_launcher_visible, created_at, 4 more... }
Zero TrustAccess

Certificates

zero_trust.access.certificates

Methods

Add An M TLS Certificate -> Envelope<>
post/{account_or_zone}/{account_or_zone_id}/access/certificates

Adds a new mTLS root certificate to Access.

Delete An M TLS Certificate -> Envelope<{ id }>
delete/{account_or_zone}/{account_or_zone_id}/access/certificates/{certificate_id}

Deletes an mTLS certificate.

Get An M TLS Certificate -> Envelope<>
get/{account_or_zone}/{account_or_zone_id}/access/certificates/{certificate_id}

Fetches a single mTLS certificate.

List M TLS Certificates -> SinglePage<>
get/{account_or_zone}/{account_or_zone_id}/access/certificates

Lists all mTLS root certificates.

Update An M TLS Certificate -> Envelope<>
put/{account_or_zone}/{account_or_zone_id}/access/certificates/{certificate_id}

Updates a configured mTLS certificate.

Domain types

AssociatedHostnames = string

A fully-qualified domain name (FQDN).

Certificate = { id, associated_hostnames, created_at, 4 more... }

zero_trust.access.certificates.settings

Methods

List All M TLS Hostname Settings -> Envelope<Array<>>
get/{account_or_zone}/{account_or_zone_id}/access/certificates/settings

List all mTLS hostname settings for this account or zone.

Update An M TLS Certificate S Hostname Settings -> Envelope<Array<>>
put/{account_or_zone}/{account_or_zone_id}/access/certificates/settings

Updates an mTLS certificate's hostname settings.

Domain types

CertificateSettings = { china_network, client_certificate_forwarding, hostname }
Zero TrustAccess

Custom Pages

zero_trust.access.custom_pages

Methods

Create A Custom Page -> Envelope<>
post/accounts/{account_id}/access/custom_pages

Create a custom page

Delete A Custom Page -> Envelope<{ id }>
delete/accounts/{account_id}/access/custom_pages/{custom_page_id}

Delete a custom page

Get A Custom Page -> Envelope<>
get/accounts/{account_id}/access/custom_pages/{custom_page_id}

Fetches a custom page and also returns its HTML.

List Custom Pages -> SinglePage<>
get/accounts/{account_id}/access/custom_pages

List custom pages

Update A Custom Page -> Envelope<>
put/accounts/{account_id}/access/custom_pages/{custom_page_id}

Update a custom page

Domain types

CustomPage = { custom_html, name, type, 4 more... }
CustomPageWithoutHTML = { name, type, app_count, 3 more... }

zero_trust.access.gateway_ca

Methods

Add A New SSH Certificate Authority CA -> Envelope<{ id, public_key }>
post/accounts/{account_id}/access/gateway_ca

Adds a new SSH Certificate Authority (CA).

Delete An SSH Certificate Authority CA -> Envelope<{ id }>
delete/accounts/{account_id}/access/gateway_ca/{certificate_id}

Deletes an SSH Certificate Authority.

List SSH Certificate Authorities CA -> SinglePage<{ id, public_key }>
get/accounts/{account_id}/access/gateway_ca

Lists SSH Certificate Authorities (CA).

zero_trust.access.groups

Methods

Create An Access Group -> Envelope<>
post/{account_or_zone}/{account_or_zone_id}/access/groups

Creates a new Access group.

Delete An Access Group -> Envelope<{ id }>
delete/{account_or_zone}/{account_or_zone_id}/access/groups/{group_id}

Deletes an Access group.

Get An Access Group -> Envelope<>
get/{account_or_zone}/{account_or_zone_id}/access/groups/{group_id}

Fetches a single Access group.

List Access Groups -> SinglePage<>
get/{account_or_zone}/{account_or_zone_id}/access/groups

Lists all Access groups.

Update An Access Group -> Envelope<>
put/{account_or_zone}/{account_or_zone_id}/access/groups/{group_id}

Updates a configured Access group.

Domain types

ZeroTrustGroup = { id, created_at, exclude, 5 more... }
Zero TrustAccess

Infrastructure

zero_trust.access.infrastructure

zero_trust.access.infrastructure.targets

Methods

Delete Targets ->
delete/accounts/{account_id}/infrastructure/targets/batch

Removes one or more targets.

Create New Targets -> Array<{ id, created_at, hostname, 2 more... }>
put/accounts/{account_id}/infrastructure/targets/batch

Adds one or more targets.

Create New Target -> Envelope<{ id, created_at, hostname, 2 more... }>
post/accounts/{account_id}/infrastructure/targets

Create new target

Delete Target ->
delete/accounts/{account_id}/infrastructure/targets/{target_id}

Delete target

Get Target -> Envelope<{ id, created_at, hostname, 2 more... }>
get/accounts/{account_id}/infrastructure/targets/{target_id}

Get target

List All Targets -> V4PagePaginationArray<{ id, created_at, hostname, 2 more... }>
get/accounts/{account_id}/infrastructure/targets

Lists and sorts an account’s targets. Filters are optional and are ANDed together.

Update Target -> Envelope<{ id, created_at, hostname, 2 more... }>
put/accounts/{account_id}/infrastructure/targets/{target_id}

Update target

zero_trust.access.keys

Methods

Get The Access Key Configuration -> Envelope<{ days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }>
get/accounts/{account_id}/access/keys

Gets the Access key rotation settings for an account.

Rotate Access Keys -> Envelope<{ days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }>
post/accounts/{account_id}/access/keys/rotate

Perfoms a key rotation for an account.

Update The Access Key Configuration -> Envelope<{ days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }>
put/accounts/{account_id}/access/keys

Updates the Access key rotation settings for an account.

zero_trust.access.logs

Zero TrustAccessLogs

Access Requests

zero_trust.access.logs.access_requests

Methods

Get Access Authentication Logs -> Envelope<Array<>>
get/accounts/{account_id}/access/logs/access_requests

Gets a list of Access authentication audit logs for an account.

Domain types

AccessRequests = { action, allowed, app_domain, 6 more... }

zero_trust.access.policies

Methods

Create An Access Reusable Policy -> Envelope<{ id, app_count, approval_groups, 13 more... }>
post/accounts/{account_id}/access/policies

Creates a new Access reusable policy.

Delete An Access Reusable Policy -> Envelope<{ id }>
delete/accounts/{account_id}/access/policies/{policy_id}

Deletes an Access reusable policy.

Get An Access Reusable Policy -> Envelope<{ id, app_count, approval_groups, 13 more... }>
get/accounts/{account_id}/access/policies/{policy_id}

Fetches a single Access reusable policy.

List Access Reusable Policies -> SinglePage<{ id, app_count, approval_groups, 13 more... }>
get/accounts/{account_id}/access/policies

Lists Access reusable policies.

Update An Access Reusable Policy -> Envelope<{ id, app_count, approval_groups, 13 more... }>
put/accounts/{account_id}/access/policies/{policy_id}

Updates a Access reusable policy.

Domain types

ApprovalGroup = { approvals_needed, email_addresses, email_list_uuid }

A group of email addresses that can approve a temporary authentication request.

Policy = { id, approval_groups, approval_required, 11 more... }
Zero TrustAccess

Service Tokens

zero_trust.access.service_tokens

Methods

Create A Service Token -> Envelope<{ id, client_id, client_secret, 4 more... }>
post/{account_or_zone}/{account_or_zone_id}/access/service_tokens

Generates a new service token. Note: This is the only time you can get the Client Secret. If you lose the Client Secret, you will have to rotate the Client Secret or create a new service token.

Delete A Service Token -> Envelope<>
delete/{account_or_zone}/{account_or_zone_id}/access/service_tokens/{service_token_id}

Deletes a service token.

Get A Service Token -> Envelope<>
get/{account_or_zone}/{account_or_zone_id}/access/service_tokens/{service_token_id}

Fetches a single service token.

List Service Tokens -> SinglePage<>
get/{account_or_zone}/{account_or_zone_id}/access/service_tokens

Lists all service tokens.

Refresh A Service Token -> Envelope<>
post/accounts/{account_id}/access/service_tokens/{service_token_id}/refresh

Refreshes the expiration of a service token.

Rotate A Service Token -> Envelope<{ id, client_id, client_secret, 4 more... }>
post/accounts/{account_id}/access/service_tokens/{service_token_id}/rotate

Generates a new Client Secret for a service token and revokes the old one.

Update A Service Token -> Envelope<>
put/{account_or_zone}/{account_or_zone_id}/access/service_tokens/{service_token_id}

Updates a configured service token.

Domain types

ServiceToken = { id, client_id, created_at, 5 more... }

zero_trust.access.tags

Methods

Create A Tag -> Envelope<>
post/accounts/{account_id}/access/tags

Create a tag

Delete A Tag -> Envelope<{ name }>
delete/accounts/{account_id}/access/tags/{tag_name}

Delete a tag

Get A Tag -> Envelope<>
get/accounts/{account_id}/access/tags/{tag_name}

Get a tag

List Tags -> SinglePage<>
get/accounts/{account_id}/access/tags

List tags

Update A Tag -> Envelope<>
put/accounts/{account_id}/access/tags/{tag_name}

Update a tag

Domain types

Tag = { name, app_count, created_at, 1 more... }

A tag

zero_trust.access.users

Methods

Get Users -> SinglePage<>
get/accounts/{account_id}/access/users

Gets a list of users for an account.

Domain types

AccessUser = { id, access_seat, active_device_count, 8 more... }
Zero TrustAccessUsers

Active Sessions

zero_trust.access.users.active_sessions

Methods

Get Single Active Session -> Envelope<{ account_id, auth_status, common_name, 16 more... }>
get/accounts/{account_id}/access/users/{user_id}/active_sessions/{nonce}

Get an active session for a single user.

Get Active Sessions -> SinglePage<{ expiration, metadata, name }>
get/accounts/{account_id}/access/users/{user_id}/active_sessions

Get active sessions for a single user.

zero_trust.access.users.failed_logins

Methods

Get Failed Logins -> SinglePage<{ expiration, metadata }>
get/accounts/{account_id}/access/users/{user_id}/failed_logins

Get all failed login attempts for a single user.

Zero TrustAccessUsers

Last Seen Identity

zero_trust.access.users.last_seen_identity

Methods

Get Last Seen Identity -> Envelope<>
get/accounts/{account_id}/access/users/{user_id}/last_seen_identity

Get last seen identity for a single user.

Domain types

Identity = { account_id, auth_status, common_name, 15 more... }
Zero Trust

Connectivity Settings

zero_trust.connectivity_settings

Methods

Updates The Zero Trust Connectivity Settings -> Envelope<{ icmp_proxy_enabled, offramp_warp_enabled }>
patch/accounts/{account_id}/zerotrust/connectivity_settings

Updates the Zero Trust Connectivity Settings for the given account.

Get Zero Trust Connectivity Settings -> Envelope<{ icmp_proxy_enabled, offramp_warp_enabled }>
get/accounts/{account_id}/zerotrust/connectivity_settings

Gets the Zero Trust Connectivity Settings for the given account.

Zero Trust

Devices

zero_trust.devices

Methods

Get Device Details -> Envelope<{ id, account, created, 16 more... }>
get/accounts/{account_id}/devices/{device_id}

Fetches details for a single device.

List Devices -> SinglePage<>
get/accounts/{account_id}/devices

Fetches a list of enrolled devices.

Domain types

Device = { id, created, deleted, 17 more... }

zero_trust.devices.dex_tests

Methods

Create Device DEX Test -> Envelope<>
post/accounts/{account_id}/devices/dex_tests

Create a DEX test.

Delete Device DEX Test -> Envelope<{ dex_tests }>
delete/accounts/{account_id}/devices/dex_tests/{dex_test_id}

Delete a Device DEX test. Returns the remaining device dex tests for the account.

Get Device DEX Test -> Envelope<>
get/accounts/{account_id}/devices/dex_tests/{dex_test_id}

Fetch a single DEX test.

List Device DEX Tests -> SinglePage<>
get/accounts/{account_id}/devices/dex_tests

Fetch all DEX tests.

Update Device DEX Test -> Envelope<>
put/accounts/{account_id}/devices/dex_tests/{dex_test_id}

Update a DEX test.

Domain types

DEXTest = { data, enabled, interval, 5 more... }
SchemaData = { host, kind, method }

The configuration object which contains the details for the WARP client to conduct the test.

SchemaHTTP = { data, enabled, interval, 5 more... }
Zero TrustDevices

Fleet Status

zero_trust.devices.fleet_status

Methods

Get The Live Status Of A Latest Device -> { colo, deviceId, mode, 35 more... }
get/accounts/{account_id}/dex/devices/{device_id}/fleet-status/live

Get the live status of a latest device given device_id from the device_state table

zero_trust.devices.networks

Methods

Create A Device Managed Network -> Envelope<>
post/accounts/{account_id}/devices/networks

Creates a new device managed network.

Delete A Device Managed Network -> Envelope<Array<>>
delete/accounts/{account_id}/devices/networks/{network_id}

Deletes a device managed network and fetches a list of the remaining device managed networks for an account.

Get Device Managed Network Details -> Envelope<>
get/accounts/{account_id}/devices/networks/{network_id}

Fetches details for a single managed network.

List Your Device Managed Networks -> SinglePage<>
get/accounts/{account_id}/devices/networks

Fetches a list of managed networks for an account.

Update A Device Managed Network -> Envelope<>
put/accounts/{account_id}/devices/networks/{network_id}

Updates a configured device managed network.

Domain types

DeviceNetwork = { config, name, network_id, 1 more... }
Zero TrustDevices

Override Codes

zero_trust.devices.override_codes

Methods

Get An Admin Override Code For A Device -> Envelope<{ disable_for_time }>
get/accounts/{account_id}/devices/{device_id}/override_codes

Fetches a one-time use admin override code for a device. This relies on the Admin Override setting being enabled in your device configuration.

zero_trust.devices.policies

Domain types

DevicePolicyCertificates = { enabled }
FallbackDomain = { suffix, description, dns_server }
FallbackDomainPolicy = Array<>
SettingsPolicy = { allow_mode_switch, allow_updates, allowed_to_leave, 22 more... }
SplitTunnelExclude = { address, description, host }
SplitTunnelInclude = { address, description, host }

zero_trust.devices.policies.custom

Methods

Create A Device Settings Profile -> Envelope<>
post/accounts/{account_id}/devices/policy

Creates a device settings profile to be applied to certain devices matching the criteria.

Delete A Device Settings Profile -> Envelope<Array<>>
delete/accounts/{account_id}/devices/policy/{policy_id}

Deletes a device settings profile and fetches a list of the remaining profiles for an account.

Update A Device Settings Profile -> Envelope<>
patch/accounts/{account_id}/devices/policy/{policy_id}

Updates a configured device settings profile.

Get Device Settings Profile By ID -> Envelope<>
get/accounts/{account_id}/devices/policy/{policy_id}

Fetches a device settings profile by ID.

List Device Settings Profiles -> SinglePage<>
get/accounts/{account_id}/devices/policies

Fetches a list of the device settings profiles for an account.

zero_trust.devices.policies.custom.excludes

Methods

Get The Split Tunnel Exclude List For A Device Settings Profile -> Envelope<Array<>>
get/accounts/{account_id}/devices/policy/{policy_id}/exclude

Fetches the list of routes excluded from the WARP client's tunnel for a specific device settings profile.

Set The Split Tunnel Exclude List For A Device Settings Profile -> Envelope<Array<>>
put/accounts/{account_id}/devices/policy/{policy_id}/exclude

Sets the list of routes excluded from the WARP client's tunnel for a specific device settings profile.

zero_trust.devices.policies.custom.fallback_domains

Methods

Get The Local Domain Fallback List For A Device Settings Profile -> Envelope<Array<>>
get/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains

Fetches the list of domains to bypass Gateway DNS resolution from a specified device settings profile. These domains will use the specified local DNS resolver instead.

Set The Local Domain Fallback List For A Device Settings Profile -> Envelope<Array<>>
put/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains

Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. This will only apply to the specified device settings profile.

zero_trust.devices.policies.custom.includes

Methods

Get The Split Tunnel Include List For A Device Settings Profile -> Envelope<Array<>>
get/accounts/{account_id}/devices/policy/{policy_id}/include

Fetches the list of routes included in the WARP client's tunnel for a specific device settings profile.

Set The Split Tunnel Include List For A Device Settings Profile -> Envelope<Array<>>
put/accounts/{account_id}/devices/policy/{policy_id}/include

Sets the list of routes included in the WARP client's tunnel for a specific device settings profile.

zero_trust.devices.policies.default

Methods

Update The Default Device Settings Profile -> Envelope<{ allow_mode_switch, allow_updates, allowed_to_leave, 14 more... }>
patch/accounts/{account_id}/devices/policy

Updates the default device settings profile for an account.

Get The Default Device Settings Profile -> Envelope<{ allow_mode_switch, allow_updates, allowed_to_leave, 14 more... }>
get/accounts/{account_id}/devices/policy

Fetches the default device settings profile for an account.

zero_trust.devices.policies.default.certificates

Methods

Update Device Certificate Provisioning Status -> Envelope<unknown>
patch/zones/{zone_id}/devices/policy/certificates

Enable Zero Trust Clients to provision a certificate, containing a x509 subject, and referenced by Access device posture policies when the client visits MTLS protected domains. This facilitates device posture without a WARP session.

Get Device Certificate Provisioning Status -> Envelope<unknown>
get/zones/{zone_id}/devices/policy/certificates

Fetches device certificate provisioning

zero_trust.devices.policies.default.excludes

Methods

Get The Split Tunnel Exclude List -> Envelope<Array<>>
get/accounts/{account_id}/devices/policy/exclude

Fetches the list of routes excluded from the WARP client's tunnel.

Set The Split Tunnel Exclude List -> Envelope<Array<>>
put/accounts/{account_id}/devices/policy/exclude

Sets the list of routes excluded from the WARP client's tunnel.

zero_trust.devices.policies.default.fallback_domains

Methods

Get Your Local Domain Fallback List -> Envelope<Array<>>
get/accounts/{account_id}/devices/policy/fallback_domains

Fetches a list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead.

Set Your Local Domain Fallback List -> Envelope<Array<>>
put/accounts/{account_id}/devices/policy/fallback_domains

Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead.

zero_trust.devices.policies.default.includes

Methods

Get The Split Tunnel Include List -> Envelope<Array<>>
get/accounts/{account_id}/devices/policy/include

Fetches the list of routes included in the WARP client's tunnel.

Set The Split Tunnel Include List -> Envelope<Array<>>
put/accounts/{account_id}/devices/policy/include

Sets the list of routes included in the WARP client's tunnel.

zero_trust.devices.posture

Methods

Create A Device Posture Rule -> Envelope<>
post/accounts/{account_id}/devices/posture

Creates a new device posture rule.

Delete A Device Posture Rule -> Envelope<{ id }>
delete/accounts/{account_id}/devices/posture/{rule_id}

Deletes a device posture rule.

Get Device Posture Rule Details -> Envelope<>
get/accounts/{account_id}/devices/posture/{rule_id}

Fetches a single device posture rule.

List Device Posture Rules -> SinglePage<>
get/accounts/{account_id}/devices/posture

Fetches device posture rules for a Zero Trust account.

Update A Device Posture Rule -> Envelope<>
put/accounts/{account_id}/devices/posture/{rule_id}

Updates a device posture rule.

Domain types

CarbonblackInput = string
ClientCertificateInput = { certificate_id, cn }
CrowdstrikeInput = { connection_id, last_seen, operator, 6 more... }
DeviceInput = | | | 15 more...

The value to be checked against.

DeviceMatch = { platform }
DevicePostureRule = { id, description, expiration, 5 more... }
DiskEncryptionInput = { checkDisks, requireAll }
DomainJoinedInput = { operating_system, domain }
FileInput = { operating_system, path, exists, 2 more... }
FirewallInput = { enabled, operating_system }
IntuneInput = { compliance_status, connection_id }
KolideInput = { connection_id, countOperator, issue_count }
OSVersionInput = { operating_system, operator, version, 3 more... }
SentineloneInput = { operating_system, path, sha256, 1 more... }
SentineloneS2sInput = { connection_id, active_threats, infected, 4 more... }
TaniumInput = { connection_id, eid_last_seen, operator, 3 more... }
UniqueClientIDInput = { id, operating_system }
WorkspaceOneInput = { compliance_status, connection_id }

zero_trust.devices.posture.integrations

Methods

Create A Device Posture Integration -> Envelope<>
post/accounts/{account_id}/devices/posture/integration

Create a new device posture integration.

Delete A Device Posture Integration -> Envelope<unknown>
delete/accounts/{account_id}/devices/posture/integration/{integration_id}

Delete a configured device posture integration.

Update A Device Posture Integration -> Envelope<>
patch/accounts/{account_id}/devices/posture/integration/{integration_id}

Updates a configured device posture integration.

Get Device Posture Integration Details -> Envelope<>
get/accounts/{account_id}/devices/posture/integration/{integration_id}

Fetches details for a single device posture integration.

List Your Device Posture Integrations -> SinglePage<>
get/accounts/{account_id}/devices/posture/integration

Fetches the list of device posture integrations for an account.

Domain types

Integration = { id, config, interval, 2 more... }

zero_trust.devices.revoke

Methods

Revoke Devices -> Envelope<unknown>
post/accounts/{account_id}/devices/revoke

Revokes a list of devices.

zero_trust.devices.settings

Methods

Patch Device Settings For A Zero Trust Account -> Envelope<>
patch/accounts/{account_id}/devices/settings

Patches the current device settings for a Zero Trust account.

Get Device Settings For A Zero Trust Account -> Envelope<>
get/accounts/{account_id}/devices/settings

Describes the current device settings for a Zero Trust account.

Update Device Settings For A Zero Trust Account -> Envelope<>
put/accounts/{account_id}/devices/settings

Updates the current device settings for a Zero Trust account.

Domain types

DeviceSettings = { disable_for_time, gateway_proxy_enabled, gateway_udp_proxy_enabled, 2 more... }

zero_trust.devices.unrevoke

Methods

Unrevoke Devices -> Envelope<unknown>
post/accounts/{account_id}/devices/unrevoke

Unrevokes a list of devices.

zero_trust.dex

Domain types

DigitalExperienceMonitor = { id, default, name }
NetworkPath = { slots, sampling }
NetworkPathResponse = { id, deviceName, interval, 4 more... }
Percentiles = { p50, p90, p95, 1 more... }

zero_trust.dex.colos

Methods

List Cloudflare Colos -> SinglePage<unknown>
get/accounts/{account_id}/dex/colos

List Cloudflare colos that account's devices were connected to during a time period, sorted by usage starting from the most used colo. Colos without traffic are also returned and sorted alphabetically.

zero_trust.dex.commands

Methods

Create Account Commands -> Envelope<{ commands }>
post/accounts/{account_id}/dex/commands

Initiate commands for up to 10 devices per account

List Account Commands -> V4PagePagination<{ commands }>
get/accounts/{account_id}/dex/commands

Retrieves a paginated list of commands issued to devices under the specified account, optionally filtered by time range, device, or other parameters

zero_trust.dex.commands.devices

Methods

List Devices Eligible For Remote Captures -> V4PagePagination<{ devices }>
get/accounts/{account_id}/dex/commands/devices

List devices with WARP client support for remote captures which have been connected in the last 1 hour.

zero_trust.dex.commands.downloads

Methods

Download Command Output File -> unknown
get/accounts/{account_id}/dex/commands/{command_id}/downloads/{filename}

Downloads artifacts for an executed command. Bulk downloads are not supported

zero_trust.dex.commands.quota

Methods

Returns Account Commands Usage Quota And Reset Time -> Envelope<{ quota, quota_usage, reset_time }>
get/accounts/{account_id}/dex/commands/quota

Retrieves the current quota usage and limits for device commands within a specific account, including the time when the quota will reset

Zero TrustDEX

Fleet Status

zero_trust.dex.fleet_status

Methods

List Fleet Status Details By Dimension -> Envelope<{ deviceStats }>
get/accounts/{account_id}/dex/fleet-status/live

List details for live (up to 60 minutes) devices using WARP

List Fleet Status Aggregate Details By Dimension ->
get/accounts/{account_id}/dex/fleet-status/over-time

List details for devices using WARP, up to 7 days

Domain types

LiveStat = { uniqueDevicesTotal, value }

zero_trust.dex.fleet_status.devices

Methods

List Fleet Status Devices -> V4PagePaginationArray<{ colo, deviceId, mode, 35 more... }>
get/accounts/{account_id}/dex/fleet-status/devices

List details for devices using WARP

Zero TrustDEX

HTTP Tests

zero_trust.dex.http_tests

Methods

Get Details And Aggregate Metrics For An HTTP Test -> Envelope<>
get/accounts/{account_id}/dex/http-tests/{test_id}

Get test details and aggregate performance metrics for an http test for a given time period between 1 hour and 7 days.

Domain types

HTTPDetails = { host, httpStats, httpStatsByColo, 6 more... }

zero_trust.dex.http_tests.percentiles

Methods

Get Percentiles For An HTTP Test -> Envelope<>
get/accounts/{account_id}/dex/http-tests/{test_id}/percentiles

Get percentiles for an http test for a given time period between 1 hour and 7 days.

Domain types

HTTPDetailsPercentiles = { dnsResponseTimeMs, resourceFetchTimeMs, serverResponseTimeMs }
TestStatOverTime = { slots, avg, max, 1 more... }

zero_trust.dex.tests

Methods

List DEX Test Analytics -> V4PagePagination<>
get/accounts/{account_id}/dex/tests/overview

List DEX tests with overview metrics

Domain types

AggregateTimePeriod = { units, value }
Tests = { overviewMetrics, tests }
Zero TrustDEXTests

Unique Devices

zero_trust.dex.tests.unique_devices

Methods

Get Count Of Devices Targeted -> Envelope<>
get/accounts/{account_id}/dex/tests/unique-devices

Returns unique count of devices that have run synthetic application monitoring tests in the past 7 days.

Domain types

UniqueDevices = { uniqueDevicesTotal }
Zero TrustDEX

Traceroute Test Results

zero_trust.dex.traceroute_test_results

zero_trust.dex.traceroute_test_results.network_path

Methods

Get Details For A Specific Traceroute Test Run -> Envelope<{ hops, resultId, deviceName, 2 more... }>
get/accounts/{account_id}/dex/traceroute-test-results/{test_result_id}/network-path

Get a breakdown of hops and performance metrics for a specific traceroute test run

Zero TrustDEX

Traceroute Tests

zero_trust.dex.traceroute_tests

Methods

Get Details And Aggregate Metrics For A Traceroute Test -> Envelope<>
get/accounts/{account_id}/dex/traceroute-tests/{test_id}

Get test details and aggregate performance metrics for an traceroute test for a given time period between 1 hour and 7 days.

Get Network Path Breakdown For A Traceroute Test -> Envelope<>
get/accounts/{account_id}/dex/traceroute-tests/{test_id}/network-path

Get a breakdown of metrics by hop for individual traceroute test runs

Get Percentiles For A Traceroute Test -> Envelope<{ hopsCount, packetLossPct, roundTripTimeMs }>
get/accounts/{account_id}/dex/traceroute-tests/{test_id}/percentiles

Get percentiles for a traceroute test for a given time period between 1 hour and 7 days.

Domain types

Traceroute = { host, interval, kind, 5 more... }

zero_trust.dlp

zero_trust.dlp.datasets

Methods

Create A New Dataset -> Envelope<>
post/accounts/{account_id}/dlp/datasets

Create a new dataset

Delete A Dataset ->
delete/accounts/{account_id}/dlp/datasets/{dataset_id}

This deletes all versions of the dataset.

Fetch A Specific Dataset -> Envelope<>
get/accounts/{account_id}/dlp/datasets/{dataset_id}

Fetch a specific dataset

Fetch All Datasets -> SinglePage<>
get/accounts/{account_id}/dlp/datasets

Fetch all datasets

Update Details About A Dataset -> Envelope<>
put/accounts/{account_id}/dlp/datasets/{dataset_id}

Update details about a dataset

Domain types

Dataset = { id, columns, created_at, 8 more... }
DatasetArray = Array<>
DatasetCreation = { dataset, encoding_version, max_cells, 2 more... }

zero_trust.dlp.datasets.upload

Methods

Prepare To Upload A New Version Of A Dataset -> Envelope<>
post/accounts/{account_id}/dlp/datasets/{dataset_id}/upload

Prepare to upload a new version of a dataset

Upload A New Version Of A Dataset -> Envelope<>
post/accounts/{account_id}/dlp/datasets/{dataset_id}/upload/{version}

This is used for single-column EDMv1 and Custom Word Lists. The EDM format can only be created in the Cloudflare dashboard. For other clients, this operation can only be used for non-secret Custom Word Lists. The body must be a UTF-8 encoded, newline (NL or CRNL) separated list of words to be matched.

Domain types

NewVersion = { encoding_version, max_cells, version, 2 more... }

zero_trust.dlp.datasets.versions

Methods

Sets The Column Information For A Multi Column Upload -> Envelope<Array<{ entry_id, header_name, num_cells, 1 more... }>>
post/accounts/{account_id}/dlp/datasets/{dataset_id}/versions/{version}

This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard. The columns in the response appear in the same order as in the request.

zero_trust.dlp.datasets.versions.entries

Methods

Upload A New Version Of A Multi Column Dataset -> Envelope<{ entry_id, header_name, num_cells, 1 more... }>
post/accounts/{account_id}/dlp/datasets/{dataset_id}/versions/{version}/entries/{entry_id}

This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard.

zero_trust.dlp.email

Zero TrustDLPEmail

Account Mapping

zero_trust.dlp.email.account_mapping

Methods

Create Mapping -> Envelope<{ addin_identifier_token, auth_requirements }>
post/accounts/{account_id}/dlp/email/account_mapping

Create mapping

Get Mapping -> Envelope<{ addin_identifier_token, auth_requirements }>
get/accounts/{account_id}/dlp/email/account_mapping

Get mapping

zero_trust.dlp.email.rules

Methods

Update Email Scanner Rule Priorities -> Envelope<{ action, conditions, created_at, 6 more... }>
patch/accounts/{account_id}/dlp/email/rules

Update email scanner rule priorities

Create Email Scanner Rule -> Envelope<{ action, conditions, created_at, 6 more... }>
post/accounts/{account_id}/dlp/email/rules

Create email scanner rule

Delete Email Scanner Rule -> Envelope<{ action, conditions, created_at, 6 more... }>
delete/accounts/{account_id}/dlp/email/rules/{rule_id}

Delete email scanner rule

Get An Email Scanner Rule -> Envelope<{ action, conditions, created_at, 6 more... }>
get/accounts/{account_id}/dlp/email/rules/{rule_id}

Get an email scanner rule

List All Email Scanner Rules -> SinglePage<{ action, conditions, created_at, 6 more... }>
get/accounts/{account_id}/dlp/email/rules

Lists all email scanner rules for an account.

Update Email Scanner Rule -> Envelope<{ action, conditions, created_at, 6 more... }>
put/accounts/{account_id}/dlp/email/rules/{rule_id}

Update email scanner rule

zero_trust.dlp.entries

Methods

Create Custom Entry -> Envelope<{ id, created_at, enabled, 4 more... }>
post/accounts/{account_id}/dlp/entries

Creates a DLP custom entry.

Delete Custom Entry -> Envelope<unknown>
delete/accounts/{account_id}/dlp/entries/{entry_id}

Deletes a DLP custom entry.

Get DLP Entry -> Envelope<{ id, created_at, enabled, 5 more... } | { id, confidence, enabled, 3 more... } | { id, created_at, enabled, 4 more... } | 2 more...>
get/accounts/{account_id}/dlp/entries/{entry_id}

Fetches a DLP entry by ID

List All Entries -> SinglePage<{ id, created_at, enabled, 5 more... } | { id, confidence, enabled, 3 more... } | { id, created_at, enabled, 4 more... } | 2 more...>
get/accounts/{account_id}/dlp/entries

Lists all DLP entries in an account.

Update Entry -> Envelope<{ id, created_at, enabled, 5 more... } | { id, confidence, enabled, 3 more... } | { id, created_at, enabled, 4 more... } | 2 more...>
put/accounts/{account_id}/dlp/entries/{entry_id}

Updates a DLP entry.

zero_trust.dlp.limits

Methods